From 2ad733d5abe727ffed1fe396560348aa89921fad Mon Sep 17 00:00:00 2001 From: Daniil Fedotov Date: Mon, 25 Nov 2024 18:41:56 -0500 Subject: [PATCH] fix: Quote profile json when passing to kando in go code Fixes https://github.com/kanisterio/kanister/security/code-scanning/198 and https://github.com/kanisterio/kanister/security/code-scanning/199 Signed-off-by: Daniil Fedotov --- pkg/function/export_rds_snapshot_location.go | 7 +++-- pkg/function/rds_functions_test.go | 28 +++++++++++++++++--- pkg/function/restore_rds_snapshot.go | 7 +++-- 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/pkg/function/export_rds_snapshot_location.go b/pkg/function/export_rds_snapshot_location.go index c2df143550..ca32c18251 100644 --- a/pkg/function/export_rds_snapshot_location.go +++ b/pkg/function/export_rds_snapshot_location.go @@ -18,6 +18,7 @@ import ( "context" "encoding/json" "fmt" + "strconv" "strings" "time" @@ -435,6 +436,8 @@ func postgresBackupCommand(dbEndpoint, username, password string, dbList []strin return nil, errkit.New("No database found to backup") } + profileQuoted := strconv.Quote(string(profile)) + command := []string{ "bash", "-o", @@ -452,9 +455,9 @@ func postgresBackupCommand(dbEndpoint, username, password string, dbList []strin for db in "${dblist[@]}"; do echo "backing up $db db" && pg_dump $db -C --inserts > /backup/$db.sql; done - tar -zc backup | kando location push --profile '%s' --path "${BACKUP_PREFIX}/${BACKUP_ID}" - + tar -zc backup | kando location push --profile %s --path "${BACKUP_PREFIX}/${BACKUP_ID}" - kando output %s ${BACKUP_ID}`, - dbEndpoint, backupPrefix, backupID, strings.Join(dbList, " "), profile, ExportRDSSnapshotToLocBackupID), + dbEndpoint, backupPrefix, backupID, strings.Join(dbList, " "), profileQuoted, ExportRDSSnapshotToLocBackupID), } return command, nil } diff --git a/pkg/function/rds_functions_test.go b/pkg/function/rds_functions_test.go index fc037e6749..f278369a05 100644 --- a/pkg/function/rds_functions_test.go +++ b/pkg/function/rds_functions_test.go @@ -60,10 +60,32 @@ func (s *RDSFunctionsTest) TestPrepareCommand(c *check.C) { command: []string{"bash", "-o", "errexit", "-o", "pipefail", "-c", fmt.Sprintf(` export PGHOST=%s - kando location pull --profile '%s' --path "%s" - | gunzip -c -f | sed 's/"LOCALE"/"LC_COLLATE"/' | psql -q -U "${PGUSER}" %s + kando location pull --profile "%s" --path "%s" - | gunzip -c -f | sed 's/"LOCALE"/"LC_COLLATE"/' | psql -q -U "${PGUSER}" %s `, "db-endpoint", "null", fmt.Sprintf("%s/%s", "/backup/postgres-backup", "backup-id"), postgres.DefaultConnectDatabase), }, }, + { + name: "PostgreS restore command with profile", + dbEngine: PostgrSQLEngine, + action: RestoreAction, + dbEndpoint: "db-endpoint", + username: "test-user", + password: "secret-pass", + backupPrefix: "/backup/postgres-backup", + backupID: "backup-id", + dbEngineVersion: "12.7", + errChecker: check.IsNil, + dbList: []string{"template1"}, + command: []string{"bash", "-o", "errexit", "-o", "pipefail", "-c", + fmt.Sprintf(` + export PGHOST=%s + kando location pull --profile "{\"Location\":{\"type\":\"\",\"bucket\":\"\",\"endpoint\":\"\",\"prefix\":\"\",\"region\":\"\"},\"Credential\":{\"Type\":\"\",\"KeyPair\":null,\"Secret\":null,\"KopiaServerSecret\":null},\"SkipSSLVerify\":false}" --path "%s" - | gunzip -c -f | sed 's/"LOCALE"/"LC_COLLATE"/' | psql -q -U "${PGUSER}" %s + `, "db-endpoint", fmt.Sprintf("%s/%s", "/backup/postgres-backup", "backup-id"), postgres.DefaultConnectDatabase), + }, + tp: param.TemplateParams{ + Profile: ¶m.Profile{}, + }, + }, { name: "PostgreS restore command", dbEngine: PostgrSQLEngine, @@ -79,7 +101,7 @@ func (s *RDSFunctionsTest) TestPrepareCommand(c *check.C) { command: []string{"bash", "-o", "errexit", "-o", "pipefail", "-c", fmt.Sprintf(` export PGHOST=%s - kando location pull --profile '%s' --path "%s" - | gunzip -c -f | psql -q -U "${PGUSER}" %s + kando location pull --profile "%s" --path "%s" - | gunzip -c -f | psql -q -U "${PGUSER}" %s `, "db-endpoint", "null", fmt.Sprintf("%s/%s", "/backup/postgres-backup", "backup-id"), postgres.DefaultConnectDatabase), }, }, @@ -106,7 +128,7 @@ func (s *RDSFunctionsTest) TestPrepareCommand(c *check.C) { for db in "${dblist[@]}"; do echo "backing up $db db" && pg_dump $db -C --inserts > /backup/$db.sql; done - tar -zc backup | kando location push --profile '%s' --path "${BACKUP_PREFIX}/${BACKUP_ID}" - + tar -zc backup | kando location push --profile "%s" --path "${BACKUP_PREFIX}/${BACKUP_ID}" - kando output %s ${BACKUP_ID}`, "db-endpoint", "/backup/postgres-backup", "backup-id", strings.Join([]string{"template1"}, " "), "null", ExportRDSSnapshotToLocBackupID), }, diff --git a/pkg/function/restore_rds_snapshot.go b/pkg/function/restore_rds_snapshot.go index df5dd16957..76f482bfdd 100644 --- a/pkg/function/restore_rds_snapshot.go +++ b/pkg/function/restore_rds_snapshot.go @@ -17,6 +17,7 @@ package function import ( "context" "fmt" + "strconv" "time" "github.com/aws/aws-sdk-go/aws" @@ -335,6 +336,8 @@ func postgresRestoreCommand(pgHost, username, password string, backupArtifactPre replaceCommand = ` sed 's/"LOCALE"/"LC_COLLATE"/' |` } + profileQuoted := strconv.Quote(string(profile)) + return []string{ "bash", "-o", @@ -344,8 +347,8 @@ func postgresRestoreCommand(pgHost, username, password string, backupArtifactPre "-c", fmt.Sprintf(` export PGHOST=%s - kando location pull --profile '%s' --path "%s" - | gunzip -c -f |%s psql -q -U "${PGUSER}" %s - `, pgHost, profile, fmt.Sprintf("%s/%s", backupArtifactPrefix, backupID), replaceCommand, postgres.DefaultConnectDatabase), + kando location pull --profile %s --path "%s" - | gunzip -c -f |%s psql -q -U "${PGUSER}" %s + `, pgHost, profileQuoted, fmt.Sprintf("%s/%s", backupArtifactPrefix, backupID), replaceCommand, postgres.DefaultConnectDatabase), }, nil }