Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix smb mount issue #65751

Merged
merged 1 commit into from Jul 3, 2018

Conversation

@andyzhangx
Copy link
Member

andyzhangx commented Jul 3, 2018

What this PR does / why we need it:
fix smb mount issue:
user PowerShell Environment Variables to store user input string to prevent command line injection, the env var in PowerShell would be taken as literal values and not as executable vulnerable code, this kind of fix is common for command line injection issue (called: parameterized way)

Originally use go sdk for New-SmbGlobalMapping is best solution, while after discussion with Windows team, go API for New-SmbGlobalMapping is not ready yet and the new functionality of basic win32 API NetUseAdd is not public yet, use PowerShell with Environment Variables is also their recommended way.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #65750

Special notes for your reviewer:

  • This is a security issue fix, no behavior change, E2E test of smb mount passes.
  • Original logging as azureMount is incorrect since this mount_windows is for mount disk & smb, it's a common feature on Windows, not specific to Azure, I will send another PR to fixing all the logging naming issue, anyway it's not related to this security issue. Let's keep this PR simple.

Release note:

fix smb mount security issue

/sig windows
/sig storage
/kind bug

@jessfraz
/assign @jsafrane @msau42

@jessfraz

This comment has been minimized.

Copy link
Contributor

jessfraz commented Jul 3, 2018

/lgtm

@jessfraz

This comment has been minimized.

Copy link
Contributor

jessfraz commented Jul 3, 2018

/approve

1 similar comment
@jsafrane

This comment has been minimized.

Copy link
Member

jsafrane commented Jul 3, 2018

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Jul 3, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, jessfraz, jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot

This comment has been minimized.

Copy link
Contributor

k8s-github-robot commented Jul 3, 2018

Automatic merge from submit-queue (batch tested with PRs 65381, 65751). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit d65039c into kubernetes:master Jul 3, 2018

17 checks passed

Submit Queue Queued to run github e2e tests a second time.
Details
cla/linuxfoundation andyzhangx authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details

@andyzhangx andyzhangx changed the title fix smb mount security issue fix smb mount issue Jul 4, 2018

k8s-github-robot pushed a commit that referenced this pull request Jul 6, 2018

Kubernetes Submit Queue
Merge pull request #65806 from andyzhangx/automated-cherry-pick-of-#6…
…5751-upstream-release-1.10

Automatic merge from submit-queue.

Automated cherry pick of #65751: fix smb mount security issue

Cherry pick of #65751 on release-1.10.

#65751: fix smb mount security issue
@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jul 20, 2018

is this picked to 1.11.x as well?

@andyzhangx

This comment has been minimized.

Copy link
Member Author

andyzhangx commented Jul 21, 2018

@liggitt thanks for remindar, cherry picked to 1.11

k8s-github-robot pushed a commit that referenced this pull request Jul 26, 2018

Kubernetes Submit Queue
Merge pull request #66469 from andyzhangx/automated-cherry-pick-of-#6…
…5751-upstream-release-1.11

Automatic merge from submit-queue.

Automated cherry pick of #65751: fix smb mount security issue

Cherry pick of #65751 on release-1.11.

#65751: fix smb mount security issue

k8s-github-robot pushed a commit that referenced this pull request Jul 27, 2018

Kubernetes Submit Queue
Merge pull request #65807 from andyzhangx/automated-cherry-pick-of-#6…
…5751-upstream-release-1.9

Automatic merge from submit-queue.

Automated cherry pick of #65751: fix smb mount security issue

Cherry pick of #65751 on release-1.9.

#65751: fix smb mount security issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.