Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quote various strings coming from untrusted sources #2408

Merged
merged 1 commit into from
May 13, 2024
Merged

Quote various strings coming from untrusted sources #2408

merged 1 commit into from
May 13, 2024

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented May 9, 2024

Typically, use %q instead of %s (or instead of "%s"), to expose various control characters and the like without interpreting them.

This is not really comprehensive; the codebase makes no general guarantee that any returned string values are free of control characters or other malicious/misleading metadata. Not even in returned "error" values (which can legitimately contain newlines, if nothing else).

A side effect of the code audit required by CVE-2024-3727 .

@mtrmac
Quote various strings coming from untrusted sources
cebe647 
Typically, use %q instead of %s (or instead of "%s"), to expose
various control characters and the like without interpreting them.

This is not really comprehensive; the codebase makes no _general_
guarantee that any returned string values are free of control
characters or other malicious/misleading metadata. Not even
in returned "error" values (which can legitimately contain newlines,
if nothing else).

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/skopeo that referenced this pull request May 9, 2024
@mtrmac
DO NOT MERGE: Update c/image from containers/image#2408
fa99ffd 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Copy link
Collaborator Author

mtrmac commented May 9, 2024

See containers/skopeo#2325 for updated Skopeo tests.

mtrmac added a commit to mtrmac/skopeo that referenced this pull request May 13, 2024
@mtrmac
DO NOT MERGE: Update c/image from containers/image#2408
52c0676 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
cgwalters
cgwalters approved these changes May 13, 2024
View reviewed changes
Copy link
Contributor

@cgwalters cgwalters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I glanced through this and the changes I saw looked good, but I made no attempt to check or look for places that weren't changed.

@rhatdan
Copy link
Member

rhatdan commented May 13, 2024

LGTM

@rhatdan
Copy link
Member

rhatdan commented May 13, 2024

Skopeo tests need to be updated.

@mtrmac
Copy link
Collaborator Author

mtrmac commented May 13, 2024

There is a link to an updated version above.

@rhatdan rhatdan merged commit a979521 into containers:main May 13, 2024
7 of 10 checks passed
@mtrmac mtrmac deleted the quote-strings branch May 13, 2024 22:08
mtrmac added a commit to mtrmac/skopeo that referenced this pull request May 13, 2024
@mtrmac
Update c/image after containers/image#2408
7649059 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to containers/skopeo that referenced this pull request May 13, 2024
@mtrmac
Merge pull request #2325 from mtrmac/quote-strings-tests
d244a61 
Update tests for containers/image#2408
TechIsCool pushed a commit to TechIsCool/skopeo that referenced this pull request May 15, 2024
@mtrmac @TechIsCool
Update c/image after containers/image#2408
6a3b81a 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: David Beck <david.beck@invitae.com>
@mtrmac mtrmac mentioned this pull request May 22, 2024
Merged
mtrmac added a commit to mtrmac/common that referenced this pull request May 22, 2024
@mtrmac
Update a test for containers/image#2408
4498726 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
TomSweeneyRedHat added a commit to TomSweeneyRedHat/common that referenced this pull request May 22, 2024
@TomSweeneyRedHat
Update a test per c/image pull 2408
3fe0775 
Update the libimage/pull_test.go file, changing quote in one line

Based on containers/image#2408 from @mtrmac

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Luap99 added a commit to grisu48/podman that referenced this pull request May 23, 2024
@Luap99
test/e2e: fix new error message
db3abd0 
The new c/image version is returning a slightly new error message[1] so
make tests use the new one.

[1] containers/image#2408

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
TomSweeneyRedHat pushed a commit to TomSweeneyRedHat/podman that referenced this pull request May 29, 2024
@Luap99 @TomSweeneyRedHat
test/e2e: fix new error message
178600e 
The new c/image version is returning a slightly new error message[1] so
make tests use the new one.

[1] containers/image#2408

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgwalters cgwalters cgwalters approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mtrmac @rhatdan @cgwalters