Merge pull request #37869 from isbm/isbm-input-sanitation-16.11

Input sanitation (16.11)
2024-11-07 17:09:03 +00:00 · 2016-11-29 09:17:16 -07:00 · 2016-11-29 09:17:16 -07:00 · e2b9e58d30
commit e2b9e58d30
parent e539a94a56 f9ec5d68af
2 changed files with 67 additions and 0 deletions
--- a/salt/utils/sanitizers.py
+++ b/salt/utils/sanitizers.py
@ -0,0 +1,62 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright 2016 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import re
+import os.path
+from salt.ext.six import text_type as text
+
+
+from salt.exceptions import CommandExecutionError
+
+
+class InputSanitizer(object):
+    @staticmethod
+    def trim(value):
+        '''
+        Raise an exception if value is empty. Otherwise strip it down.
+        :param value:
+        :return:
+        '''
+        value = (value or '').strip()
+        if not value:
+            raise CommandExecutionError("Empty value during sanitation")
+
+        return text(value)
+
+    @staticmethod
+    def filename(value):
+        '''
+        Remove everything that would affect paths in the filename
+
+        :param value:
+        :return:
+        '''
+        return re.sub('[^a-zA-Z0-9.-_ ]', '', os.path.basename(InputSanitizer.trim(value)))
+
+    @staticmethod
+    def hostname(value):
+        '''
+        Clean value for RFC1123.
+
+        :param value:
+        :return:
+        '''
+        return re.sub(r'[^a-zA-Z0-9.-]', '', InputSanitizer.trim(value))
+
+    id = hostname
+
+
+clean = InputSanitizer()
--- a/salt/wheel/key.py
+++ b/salt/wheel/key.py
@ -37,6 +37,8 @@ import logging
 from salt.key import get_key
 import salt.crypt
 import salt.utils
+from salt.utils.sanitizers import clean
+

 __func_alias__ = {
    'list_': 'list',
@ -318,6 +320,8 @@ def gen(id_=None, keysize=2048):
    '''
    if id_ is None:
        id_ = hashlib.sha512(os.urandom(32)).hexdigest()
+    else:
+        id_ = clean.filename(id_)
    ret = {'priv': '',
           'pub': ''}
    priv = salt.crypt.gen_keys(__opts__['pki_dir'], id_, keysize)
@ -371,6 +375,7 @@ def gen_accept(id_, keysize=2048, force=False):
        >>> wheel.cmd('key.list', ['accepted'])
        {'minions': ['foo', 'minion1', 'minion2', 'minion3']}
    '''
+    id_ = clean.id(id_)
    ret = gen(id_, keysize)
    acc_path = os.path.join(__opts__['pki_dir'], 'minions', id_)
    if os.path.isfile(acc_path) and not force: