mirror of
https://github.com/rancher/plugins.git
synced 2025-07-11 22:17:58 +00:00
394ab0d149
Bumps the golang group with 5 updates: | Package | From | To | | --- | --- | --- | | [github.com/Microsoft/hcsshim](https://github.com/Microsoft/hcsshim) | `0.11.4` | `0.12.0` | | [github.com/alexflint/go-filemutex](https://github.com/alexflint/go-filemutex) | `1.2.0` | `1.3.0` | | [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) | `2.13.2` | `2.16.0` | | [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.30.0` | `1.31.1` | | [golang.org/x/sys](https://github.com/golang/sys) | `0.15.0` | `0.17.0` | Updates `github.com/Microsoft/hcsshim` from 0.11.4 to 0.12.0 - [Release notes](https://github.com/Microsoft/hcsshim/releases) - [Commits](https://github.com/Microsoft/hcsshim/compare/v0.11.4...v0.12.0) Updates `github.com/alexflint/go-filemutex` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/alexflint/go-filemutex/releases) - [Commits](https://github.com/alexflint/go-filemutex/compare/v1.2.0...v1.3.0) Updates `github.com/onsi/ginkgo/v2` from 2.13.2 to 2.16.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.13.2...v2.16.0) Updates `github.com/onsi/gomega` from 1.30.0 to 1.31.1 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.30.0...v1.31.1) Updates `golang.org/x/sys` from 0.15.0 to 0.17.0 - [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.17.0) --- updated-dependencies: - dependency-name: github.com/Microsoft/hcsshim dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: github.com/alexflint/go-filemutex dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang ... Signed-off-by: dependabot[bot] <support@github.com>
185 lines
4.3 KiB
Go
185 lines
4.3 KiB
Go
package log
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"errors"
|
|
"sync/atomic"
|
|
|
|
hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
|
|
)
|
|
|
|
// This package scrubs objects of potentially sensitive information to pass to logging
|
|
|
|
type genMap = map[string]interface{}
|
|
type scrubberFunc func(genMap) error
|
|
|
|
const _scrubbedReplacement = "<scrubbed>"
|
|
|
|
var (
|
|
ErrUnknownType = errors.New("encoded object is of unknown type")
|
|
|
|
// case sensitive keywords, so "env" is not a substring on "Environment"
|
|
_scrubKeywords = [][]byte{[]byte("env"), []byte("Environment")}
|
|
|
|
_scrub int32
|
|
)
|
|
|
|
// SetScrubbing enables scrubbing
|
|
func SetScrubbing(enable bool) {
|
|
v := int32(0) // cant convert from bool to int32 directly
|
|
if enable {
|
|
v = 1
|
|
}
|
|
atomic.StoreInt32(&_scrub, v)
|
|
}
|
|
|
|
// IsScrubbingEnabled checks if scrubbing is enabled
|
|
func IsScrubbingEnabled() bool {
|
|
v := atomic.LoadInt32(&_scrub)
|
|
return v != 0
|
|
}
|
|
|
|
// ScrubProcessParameters scrubs HCS Create Process requests with config parameters of
|
|
// type internal/hcs/schema2.ScrubProcessParameters (aka hcsshema.ScrubProcessParameters)
|
|
func ScrubProcessParameters(s string) (string, error) {
|
|
// todo: deal with v1 ProcessConfig
|
|
b := []byte(s)
|
|
if !IsScrubbingEnabled() || !hasKeywords(b) || !json.Valid(b) {
|
|
return s, nil
|
|
}
|
|
|
|
pp := hcsschema.ProcessParameters{}
|
|
if err := json.Unmarshal(b, &pp); err != nil {
|
|
return "", err
|
|
}
|
|
pp.Environment = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
|
|
|
|
b, err := encode(pp)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(b), nil
|
|
}
|
|
|
|
// ScrubBridgeCreate scrubs requests sent over the bridge of type
|
|
// internal/gcs/protocol.containerCreate wrapping an internal/hcsoci.linuxHostedSystem
|
|
func ScrubBridgeCreate(b []byte) ([]byte, error) {
|
|
return scrubBytes(b, scrubBridgeCreate)
|
|
}
|
|
|
|
func scrubBridgeCreate(m genMap) error {
|
|
if !isRequestBase(m) {
|
|
return ErrUnknownType
|
|
}
|
|
if ss, ok := m["ContainerConfig"]; ok {
|
|
// ContainerConfig is a json encoded struct passed as a regular string field
|
|
s, ok := ss.(string)
|
|
if !ok {
|
|
return ErrUnknownType
|
|
}
|
|
b, err := scrubBytes([]byte(s), scrubLinuxHostedSystem)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
m["ContainerConfig"] = string(b)
|
|
return nil
|
|
}
|
|
return ErrUnknownType
|
|
}
|
|
|
|
func scrubLinuxHostedSystem(m genMap) error {
|
|
if m, ok := index(m, "OciSpecification"); ok { //nolint:govet // shadow
|
|
if _, ok := m["annotations"]; ok {
|
|
m["annotations"] = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
|
|
}
|
|
if m, ok := index(m, "process"); ok { //nolint:govet // shadow
|
|
if _, ok := m["env"]; ok {
|
|
m["env"] = []string{_scrubbedReplacement}
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
return ErrUnknownType
|
|
}
|
|
|
|
// ScrubBridgeExecProcess scrubs requests sent over the bridge of type
|
|
// internal/gcs/protocol.containerExecuteProcess
|
|
func ScrubBridgeExecProcess(b []byte) ([]byte, error) {
|
|
return scrubBytes(b, scrubExecuteProcess)
|
|
}
|
|
|
|
func scrubExecuteProcess(m genMap) error {
|
|
if !isRequestBase(m) {
|
|
return ErrUnknownType
|
|
}
|
|
if m, ok := index(m, "Settings"); ok { //nolint:govet // shadow
|
|
if ss, ok := m["ProcessParameters"]; ok {
|
|
// ProcessParameters is a json encoded struct passed as a regular sting field
|
|
s, ok := ss.(string)
|
|
if !ok {
|
|
return ErrUnknownType
|
|
}
|
|
|
|
s, err := ScrubProcessParameters(s)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
m["ProcessParameters"] = s
|
|
return nil
|
|
}
|
|
}
|
|
return ErrUnknownType
|
|
}
|
|
|
|
func scrubBytes(b []byte, scrub scrubberFunc) ([]byte, error) {
|
|
if !IsScrubbingEnabled() || !hasKeywords(b) || !json.Valid(b) {
|
|
return b, nil
|
|
}
|
|
|
|
m := make(genMap)
|
|
if err := json.Unmarshal(b, &m); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// could use regexp, but if the env strings contain braces, the regexp fails
|
|
// parsing into individual structs would require access to private structs
|
|
if err := scrub(m); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
b, err := encode(m)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return b, nil
|
|
}
|
|
|
|
func isRequestBase(m genMap) bool {
|
|
// neither of these are (currently) `omitempty`
|
|
_, a := m["ActivityId"]
|
|
_, c := m["ContainerId"]
|
|
return a && c
|
|
}
|
|
|
|
// combination `m, ok := m[s]` and `m, ok := m.(genMap)`
|
|
func index(m genMap, s string) (genMap, bool) {
|
|
if m, ok := m[s]; ok {
|
|
mm, ok := m.(genMap)
|
|
return mm, ok
|
|
}
|
|
|
|
return m, false
|
|
}
|
|
|
|
func hasKeywords(b []byte) bool {
|
|
for _, bb := range _scrubKeywords {
|
|
if bytes.Contains(b, bb) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|