Skip to content

Commit

Permalink
OCM-11513 | fix: sanitize user input so that command with registry ar…
Browse files Browse the repository at this point in the history
…guments is executable.
  • Loading branch information
patrickjennings committed Oct 3, 2024
1 parent a4af6ae commit 15c862d
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 11 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ require (
require (
github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
github.com/99designs/keyring v1.2.2 // indirect
github.com/alessio/shellescape v1.4.1 // indirect
github.com/alessio/shellescape v1.4.1
github.com/andybalholm/cascadia v1.3.2 // indirect
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
Expand Down
13 changes: 7 additions & 6 deletions pkg/clusterregistryconfig/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"strconv"
"strings"

"github.com/alessio/shellescape"
cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
Expand Down Expand Up @@ -263,37 +264,37 @@ func BuildRegistryConfigOptions(spec ocm.Spec) string {
if len(spec.AllowedRegistries) > 0 {
command += fmt.Sprintf(" --%s %s",
allowedRegistriesFlag,
strings.Join(spec.AllowedRegistries, ","))
shellescape.Quote(strings.Join(spec.AllowedRegistries, ",")))
}

if len(spec.BlockedRegistries) > 0 {
command += fmt.Sprintf(" --%s %s",
blockedRegistriesFlag,
strings.Join(spec.BlockedRegistries, ","))
shellescape.Quote(strings.Join(spec.BlockedRegistries, ",")))
}

if len(spec.InsecureRegistries) > 0 {
command += fmt.Sprintf(" --%s %s",
insecureRegistriesFlag,
strings.Join(spec.InsecureRegistries, ","))
shellescape.Quote(strings.Join(spec.InsecureRegistries, ",")))
}

if spec.AdditionalTrustedCaFile != "" {
command += fmt.Sprintf(" --%s %s",
additionalTrustedCaPathFlag,
spec.AdditionalTrustedCaFile)
shellescape.Quote(spec.AdditionalTrustedCaFile))
}

if spec.PlatformAllowlist != "" {
command += fmt.Sprintf(" --%s %s",
platformAllowlistFlag,
spec.PlatformAllowlist)
shellescape.Quote(spec.PlatformAllowlist))
}

if spec.AllowedRegistriesForImport != "" {
command += fmt.Sprintf(" --%s %s",
allowedRegistriesForImportFlag,
spec.AllowedRegistriesForImport)
shellescape.Quote(spec.AllowedRegistriesForImport))
}

return command
Expand Down
9 changes: 5 additions & 4 deletions pkg/clusterregistryconfig/flags_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,17 +62,18 @@ var _ = Describe("Cluster Registry Config tests", func() {

It("Returns the expected string if set", func() {
spec.AllowedRegistries = []string{"abc.com", "efg.com"}
spec.InsecureRegistries = []string{"insecure.com"}
spec.InsecureRegistries = []string{"insecure.com", "*.insecure.com"}
spec.BlockedRegistries = []string{"blocked.com"}
spec.AdditionalTrustedCaFile = "ca.json"
spec.PlatformAllowlist = "allowlist-id"
spec.AllowedRegistriesForImport = "lala.com:true"
spec.AllowedRegistriesForImport = "lala.com:true,*.io:false"
output := BuildRegistryConfigOptions(spec)
expectedOutput := " --registry-config-allowed-registries abc.com,efg.com" +
" --registry-config-blocked-registries blocked.com" +
" --registry-config-insecure-registries insecure.com --registry-config-additional-trusted-ca ca.json" +
" --registry-config-insecure-registries 'insecure.com,*.insecure.com'" +
" --registry-config-additional-trusted-ca ca.json" +
" --registry-config-platform-allowlist allowlist-id" +
" --registry-config-allowed-registries-for-import lala.com:true"
" --registry-config-allowed-registries-for-import 'lala.com:true,*.io:false'"
Expect(output).To(Equal(expectedOutput))
})
})
Expand Down

0 comments on commit 15c862d

Please sign in to comment.