File escape-terminal-special-characters-in-kubectl-1... of Package kubernetes1.24.35690

Overview Repositories Revisions Requests Users Attributes Meta

File escape-terminal-special-characters-in-kubectl-112553.patch of Package kubernetes1.24.35690

From dad0e937c0f76344363eb691b2668490ffef8537 Mon Sep 17 00:00:00 2001
From: David Leadbeater <dgl@dgl.cx>
Date: Mon, 31 Oct 2022 01:08:43 +1000
Subject: [PATCH] Escape terminal special characters in kubectl (#112553)

* Escape terminal special characters in kubectl

* Add escaping for kubectl alpha events
---
 .../cli-runtime/pkg/printers/tableprinter.go  | 13 ++++---
 .../pkg/printers/tableprinter_test.go         | 12 ++++++
 .../cli-runtime/pkg/printers/terminal.go      | 39 +++++++++++++++++++
 .../kubectl/pkg/cmd/events/event_printer.go   | 10 +++--
 .../pkg/cmd/events/event_printer_test.go      | 34 ++++++++++++++++
 .../kubectl/pkg/cmd/get/customcolumn.go       |  2 +-
 .../kubectl/pkg/cmd/get/customcolumn_test.go  | 16 ++++++++
 .../k8s.io/kubectl/pkg/describe/describe.go   |  7 +++-
 .../kubectl/pkg/describe/describe_test.go     | 19 +++++++++
 9 files changed, 139 insertions(+), 13 deletions(-)
 create mode 100644 staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go

Index: kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
+++ kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
@@ -212,18 +212,19 @@ func printTable(table *metav1.Table, out
 				case string:
 					print := val
 					truncated := false
-					// truncate at newlines
-					newline := strings.Index(print, "\n")
-					if newline >= 0 {
+					// Truncate at the first newline, carriage return or formfeed
+					// (treated as a newline by tabwriter).
+					breakchar := strings.IndexAny(print, "\f\n\r")
+					if breakchar >= 0 {
 						truncated = true
-						print = print[:newline]
+						print = print[:breakchar]
 					}
-					fmt.Fprint(output, print)
+					WriteEscaped(output, print)
 					if truncated {
 						fmt.Fprint(output, "...")
 					}
 				default:
-					fmt.Fprint(output, val)
+					WriteEscaped(output, fmt.Sprint(val))
 				}
 			}
 		}
Index: kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
+++ kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
@@ -771,6 +771,18 @@ test1   20h   This is first line which i
 test1   20h   This is first...
 `,
 		},
+		// terminal special character, should be escaped
+		{
+			columns: []metav1.TableColumnDefinition{
+				{Name: "Name", Type: "string"},
+			},
+			rows: []metav1.TableRow{
+				{Cells: []interface{}{"test1\x1b"}},
+			},
+			expected: `NAME
+test1^[
+`,
+		},
 	}
 
 	for _, test := range tests {
Index: kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go
===================================================================
--- /dev/null
+++ kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+	"strings"
+)
+
+// terminalEscaper replaces ANSI escape sequences and other terminal special
+// characters to avoid terminal escape character attacks (issue #101695).
+var terminalEscaper = strings.NewReplacer("\x1b", "^[", "\r", "\\r")
+
+// WriteEscaped replaces unsafe terminal characters with replacement strings
+// and writes them to the given writer.
+func WriteEscaped(writer io.Writer, output string) error {
+	_, err := terminalEscaper.WriteString(writer, output)
+	return err
+}
+
+// EscapeTerminal escapes terminal special characters in a human readable (but
+// non-reversible) format.
+func EscapeTerminal(in string) string {
+	return terminalEscaper.Replace(in)
+}
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
@@ -252,7 +252,7 @@ func (s *CustomColumnsPrinter) printOneO
 		}
 		for arrIx := range values {
 			for valIx := range values[arrIx] {
-				valueStrings = append(valueStrings, fmt.Sprintf("%v", values[arrIx][valIx].Interface()))
+				valueStrings = append(valueStrings, printers.EscapeTerminal(fmt.Sprint(values[arrIx][valIx].Interface())))
 			}
 		}
 		columns[ix] = strings.Join(valueStrings, ",")
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn_test.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn_test.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn_test.go
@@ -313,6 +313,22 @@ foo    baz
 foo    baz           <none>
 `,
 		},
+		{
+			columns: []Column{
+				{
+					Header:    "NAME",
+					FieldSpec: "{.metadata.name}",
+				},
+			},
+			obj: &corev1.PodList{
+				Items: []corev1.Pod{
+					{ObjectMeta: metav1.ObjectMeta{Name: "\x1b \r"}},
+				},
+			},
+			expectedOutput: `NAME
+^[ \r
+`,
+		},
 	}
 
 	for _, test := range tests {
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/describe/describe.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe.go
@@ -65,6 +65,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/printers"
 	runtimeresource "k8s.io/cli-runtime/pkg/resource"
 	"k8s.io/client-go/dynamic"
 	clientset "k8s.io/client-go/kubernetes"
@@ -148,11 +149,13 @@ func (pw *prefixWriter) Write(level int,
 	for i := 0; i < level; i++ {
 		prefix += levelSpace
 	}
-	fmt.Fprintf(pw.out, prefix+format, a...)
+	output := fmt.Sprintf(prefix+format, a...)
+	printers.WriteEscaped(pw.out, output)
 }
 
 func (pw *prefixWriter) WriteLine(a ...interface{}) {
-	fmt.Fprintln(pw.out, a...)
+	output := fmt.Sprintln(a...)
+	printers.WriteEscaped(pw.out, output)
 }
 
 func (pw *prefixWriter) Flush() {
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
@@ -5322,3 +5322,22 @@ func TestControllerRef(t *testing.T) {
 		t.Errorf("unexpected out: %s", out)
 	}
 }
+
+func TestDescribeTerminalEscape(t *testing.T) {
+	fake := fake.NewSimpleClientset(&corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        "mycm",
+			Namespace:   "foo",
+			Annotations: map[string]string{"annotation1": "terminal escape: \x1b"},
+		},
+	})
+	c := &describeClient{T: t, Namespace: "foo", Interface: fake}
+	d := ConfigMapDescriber{c}
+	out, err := d.Describe("foo", "mycm", DescriberSettings{ShowEvents: true})
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if strings.Contains(out, "\x1b") || !strings.Contains(out, "^[") {
+		t.Errorf("unexpected out: %s", out)
+	}
+}
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/events/events.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/cmd/events/events.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/events/events.go
@@ -284,10 +284,11 @@ func printOneEvent(w io.Writer, e corev1
 	}
 	fmt.Fprintf(w, "%s\t%s\t%s\t%s/%s\t%v\n",
 		interval,
-		e.Type,
-		e.Reason,
-		e.InvolvedObject.Kind, e.InvolvedObject.Name,
-		strings.TrimSpace(e.Message),
+		printers.EscapeTerminal(e.Type),
+		printers.EscapeTerminal(e.Reason),
+		printers.EscapeTerminal(e.InvolvedObject.Kind),
+		printers.EscapeTerminal(e.InvolvedObject.Name),
+		printers.EscapeTerminal(strings.TrimSpace(e.Message)),
 	)
 }

Places

File escape-terminal-special-characters-in-kubectl-112553.patch of Package kubernetes1.24.35690

Places