Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clear the secrets from request for klog print in logGRPC() #1462

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Clear the secrets from request for klog print in logGRPC() #1462

wants to merge 1 commit into from

Conversation

mpatlasov
Copy link

@mpatlasov mpatlasov commented Oct 20, 2023
edited

Malicious user can put a secret in request as explained here: #1372.

What type of PR is this?

/kind bug

What this PR does / why we need it:

Malicious user can put a secret in request as explained here: #1372.

This PR simply clears the secrets from request.

Which issue(s) this PR fixes:

Fixes #1372

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 20, 2023
@k8s-ci-robot
Copy link
Contributor

Welcome @mpatlasov!

It looks like this is your first PR to kubernetes-sigs/gcp-compute-persistent-disk-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gcp-compute-persistent-disk-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 20, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @mpatlasov. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mpatlasov
Once this PR has been reviewed and has the lgtm label, please assign saikat-royc for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Oct 20, 2023
msau42
msau42 reviewed Oct 20, 2023
View reviewed changes
pkg/gce-pd-csi-driver/utils.go Outdated
klog.V(4).Infof("%s called with request: %s", info.FullMethod, req)
// However malicious user still can put a secret in request as explained here:
// https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1372
if klog.V(4).Enabled() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We regularly use log level 4 in production. Since this driver doesn't actually require any secret, can we just clear the secrets from the request?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@msau42 , the request may be of different types, i.e. NodeExpandVolumeRequest is not the only type with Secrets (e.g. CreateVolumeRequest, DeleteVolumeRequest, etc.). I didn't find any straightforward way to clear the secrets from a request of arbitrary type, can you tell me how you suggest to do it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think we can leverage the reflect package? https://pkg.go.dev/reflect#example-Value.FieldByName potentially looks promising. Or could we even use https://pkg.go.dev/reflect#StructTag to create a more efficient protosanitizer?

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 30, 2023
@mpatlasov mpatlasov changed the title Sanitize request for klog print in logGRPC() Clear secrets from request for klog print in logGRPC() Oct 30, 2023
@mpatlasov mpatlasov changed the title Clear secrets from request for klog print in logGRPC() Clear the secrets from request for klog print in logGRPC() Oct 30, 2023
@mpatlasov
Copy link
Author

Last push reworks PR: instead of calling protosanitizer.StripSecrets(req), now it simply clears the secrets from request.

jsafrane
jsafrane reviewed Nov 2, 2023
View reviewed changes
pkg/gce-pd-csi-driver/utils.go Outdated Show resolved Hide resolved
pkg/gce-pd-csi-driver/utils.go Show resolved Hide resolved
@mpatlasov
Clear secrets from request for klog print in logGRPC()
afd457a 
Malicious user can put a secret in request as explained here: kubernetes-sigs#1372.
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 3, 2023
@mpatlasov
Copy link
Author

Last push addressed Jan's comment:

  • Reflection magic went to a separate function
  • Comment fixed
  • Unit-test added

@jsafrane
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 29, 2023
@jsafrane
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 29, 2023
@mpatlasov
Copy link
Author

@msau42 , can you approve please?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 8, 2023
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mpatlasov mpatlasov mentioned this pull request Dec 22, 2023
Closed
9 tasks
msau42
msau42 reviewed Dec 28, 2023
View reviewed changes
pkg/gce-pd-csi-driver/utils.go
@@ -56,14 +57,30 @@ func NewNodeServiceCapability(cap csi.NodeServiceCapability_RPC_Type) *csi.NodeS
}
}

// Reflect magic below simply clears Secrets map from request.
func clearSecrets(req interface{}) interface{} {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jsafrane how do you feel about putting this into csi-lib-utils as an alternative to protosanitizer so that it is not specific to a csi driver?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good to me, but with a huge warning that only field explicitly named Secrets is cleared.

pkg/gce-pd-csi-driver/utils.go
@@ -56,14 +57,30 @@ func NewNodeServiceCapability(cap csi.NodeServiceCapability_RPC_Type) *csi.NodeS
}
}

// Reflect magic below simply clears Secrets map from request.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to document all the assumptions about how secret fields are named in the csi spec.

msau42
msau42 reviewed Dec 28, 2023
View reviewed changes
pkg/gce-pd-csi-driver/utils.go
// Note that secrets are not included in any RPC message. In the past protosanitizer and other log
// Note that secrets may be included in some RPC messages
// (https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1372),
// but the driver ignores them. In the past protosanitizer and other log
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you able to do a benchmark test to show that the reflect method does not signficantly increase CPU usage?

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 4, 2024
@mpatlasov
Copy link
Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsafrane jsafrane jsafrane left review comments

@msau42 msau42 msau42 left review comments

@leiyiz leiyiz Awaiting requested review from leiyiz

@saikat-royc saikat-royc Awaiting requested review from saikat-royc

Assignees

@jsafrane jsafrane

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Driver can display the secret content of node-expand-secret-name
5 participants
@mpatlasov @k8s-ci-robot @jsafrane @k8s-triage-robot @msau42