Skip to content

Commit e80cfaa

Browse files
authored
Merge pull request from GHSA-wqq8-664f-54hh
* test(core): verify that JobRequest.maskedTokenizedCommand really masks * feat(core): add aws.bakery-defaults.maskedPackerParameters configuration parameter with default value [ 'aws_access_key', 'aws_secret_key' ] to match what AWSBakeHandler uses and hide potentially secret information by default.
1 parent b0317d0 commit e80cfaa

File tree

4 files changed

+39
-6
lines changed

4 files changed

+39
-6
lines changed

Diff for: rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandler.groovy

+6-1
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,11 @@ public class AWSBakeHandler extends CloudProviderBakeHandler {
231231
return new Bake(id: bakeId, ami: amiId, image_name: imageName, artifacts: artifacts)
232232
}
233233

234+
@Override
235+
List<String> getMaskedPackerParameters() {
236+
return awsBakeryDefaults.maskedPackerParameters
237+
}
238+
234239
private String lookupAmiByName(String name, String region, String account, VmType vmType, boolean mostRecent) {
235240
def images = AuthenticatedRequest.allowAnonymous(
236241
{
@@ -247,7 +252,7 @@ public class AWSBakeHandler extends CloudProviderBakeHandler {
247252
} else {
248253
image = images?.find { it.attributes.virtualizationType == vmType }
249254
}
250-
255+
251256
return image?.amis?.get(region)?.first()
252257
}
253258
}

Diff for: rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/config/RoscoAWSConfiguration.groovy

+1
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ class RoscoAWSConfiguration {
5858
String templateFile
5959
BakeRequest.VmType defaultVirtualizationType
6060
List<AWSOperatingSystemVirtualizationSettings> baseImages = []
61+
List<String> maskedPackerParameters = [ 'aws_access_key', 'aws_secret_key' ]
6162
}
6263

6364
static class AWSOperatingSystemVirtualizationSettings {

Diff for: rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandlerSpec.groovy

+26
Original file line numberDiff line numberDiff line change
@@ -1441,6 +1441,32 @@ class AWSBakeHandlerSpec extends Specification implements TestDefaults {
14411441
1 * packerCommandFactoryMock.buildPackerCommand("", parameterMap, null, "$configDir/$awsBakeryDefaults.templateFile")
14421442
}
14431443
1444+
void 'getMaskedPackerParameters returns the expected default'() {
1445+
setup:
1446+
@Subject
1447+
AWSBakeHandler awsBakeHandler = new AWSBakeHandler(awsBakeryDefaults: new RoscoAWSConfiguration.AWSBakeryDefaults())
1448+
1449+
when:
1450+
def maskedPackerParams = awsBakeHandler.maskedPackerParameters
1451+
1452+
then:
1453+
maskedPackerParams == [ 'aws_access_key', 'aws_secret_key' ]
1454+
}
1455+
1456+
void 'getMaskedPackerParameters returns the expected default'() {
1457+
setup:
1458+
def paramsToMask = [ 'foo' ]
1459+
@Subject
1460+
AWSBakeHandler awsBakeHandler = new AWSBakeHandler(awsBakeryDefaults: new RoscoAWSConfiguration.AWSBakeryDefaults(maskedPackerParameters: paramsToMask))
1461+
1462+
1463+
when:
1464+
def maskedPackerParams = awsBakeHandler.maskedPackerParameters
1465+
1466+
then:
1467+
maskedPackerParams == paramsToMask
1468+
}
1469+
14441470
static class NoSleepRetry extends RetrySupport {
14451471
void sleep(long time) {}
14461472
}

Diff for: rosco-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/util/LocalJobFriendlyPackerCommandFactorySpec.groovy

+6-5
Original file line numberDiff line numberDiff line change
@@ -75,18 +75,19 @@ class LocalJobFriendlyPackerCommandFactorySpec extends Specification implements
7575
when:
7676
def packerCommand = packerCommandFactory.buildPackerCommand("", parameterMap, null, "")
7777
def jobRequest = new JobRequest(tokenizedCommand: packerCommand, maskedParameters: maskedPackerParameters, jobId: SOME_UUID)
78-
def commandLine = new CommandLine(jobRequest.tokenizedCommand[0])
79-
def arguments = (String []) Arrays.copyOfRange(jobRequest.tokenizedCommand.toArray(), 1, jobRequest.tokenizedCommand.size())
78+
def maskedTokenizedCommand = jobRequest.maskedTokenizedCommand
79+
def commandLine = new CommandLine(maskedTokenizedCommand[0])
80+
def arguments = (String []) Arrays.copyOfRange(maskedTokenizedCommand.toArray(), 1, maskedTokenizedCommand.size())
8081
commandLine.addArguments(arguments, false)
8182
def g = commandLine.toString()
8283
def cmdLineList = commandLine.toStrings().toList()
8384

84-
8585
then:
8686
cmdLineList == expectedCommandLine
8787

8888
where:
89-
parameterMap | maskedPackerParameters | expectedCommandLine
90-
[packages: "package1 package2"] | [] | ["packer", "build", "-color=false", "-var", "packages=package1 package2"]
89+
parameterMap | maskedPackerParameters | expectedCommandLine
90+
[packages: "package1 package2"] | [] | ["packer", "build", "-color=false", "-var", "packages=package1 package2"]
91+
[packages: "package1 package2", secret: "mysecret"] | ["secret"] | ["packer", "build", "-color=false", "-var", "packages=package1 package2", "-var", "secret=******"]
9192
}
9293
}

0 commit comments

Comments
 (0)