File escape-terminal-special-characters-in-kubectl-112553.patch of Package kubernetes1.24.35690
From dad0e937c0f76344363eb691b2668490ffef8537 Mon Sep 17 00:00:00 2001
From: David Leadbeater <dgl@dgl.cx>
Date: Mon, 31 Oct 2022 01:08:43 +1000
Subject: [PATCH] Escape terminal special characters in kubectl (#112553)
* Escape terminal special characters in kubectl
* Add escaping for kubectl alpha events
---
.../cli-runtime/pkg/printers/tableprinter.go | 13 ++++---
.../pkg/printers/tableprinter_test.go | 12 ++++++
.../cli-runtime/pkg/printers/terminal.go | 39 +++++++++++++++++++
.../kubectl/pkg/cmd/events/event_printer.go | 10 +++--
.../pkg/cmd/events/event_printer_test.go | 34 ++++++++++++++++
.../kubectl/pkg/cmd/get/customcolumn.go | 2 +-
.../kubectl/pkg/cmd/get/customcolumn_test.go | 16 ++++++++
.../k8s.io/kubectl/pkg/describe/describe.go | 7 +++-
.../kubectl/pkg/describe/describe_test.go | 19 +++++++++
9 files changed, 139 insertions(+), 13 deletions(-)
create mode 100644 staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go
Index: kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
+++ kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
@@ -212,18 +212,19 @@ func printTable(table *metav1.Table, out
case string:
print := val
truncated := false
- // truncate at newlines
- newline := strings.Index(print, "\n")
- if newline >= 0 {
+ // Truncate at the first newline, carriage return or formfeed
+ // (treated as a newline by tabwriter).
+ breakchar := strings.IndexAny(print, "\f\n\r")
+ if breakchar >= 0 {
truncated = true
- print = print[:newline]
+ print = print[:breakchar]
}
- fmt.Fprint(output, print)
+ WriteEscaped(output, print)
if truncated {
fmt.Fprint(output, "...")
}
default:
- fmt.Fprint(output, val)
+ WriteEscaped(output, fmt.Sprint(val))
}
}
}
Index: kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
+++ kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
@@ -771,6 +771,18 @@ test1 20h This is first line which i
test1 20h This is first...
`,
},
+ // terminal special character, should be escaped
+ {
+ columns: []metav1.TableColumnDefinition{
+ {Name: "Name", Type: "string"},
+ },
+ rows: []metav1.TableRow{
+ {Cells: []interface{}{"test1\x1b"}},
+ },
+ expected: `NAME
+test1^[
+`,
+ },
}
for _, test := range tests {
Index: kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go
===================================================================
--- /dev/null
+++ kubernetes-1.24.17/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+ "io"
+ "strings"
+)
+
+// terminalEscaper replaces ANSI escape sequences and other terminal special
+// characters to avoid terminal escape character attacks (issue #101695).
+var terminalEscaper = strings.NewReplacer("\x1b", "^[", "\r", "\\r")
+
+// WriteEscaped replaces unsafe terminal characters with replacement strings
+// and writes them to the given writer.
+func WriteEscaped(writer io.Writer, output string) error {
+ _, err := terminalEscaper.WriteString(writer, output)
+ return err
+}
+
+// EscapeTerminal escapes terminal special characters in a human readable (but
+// non-reversible) format.
+func EscapeTerminal(in string) string {
+ return terminalEscaper.Replace(in)
+}
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
@@ -252,7 +252,7 @@ func (s *CustomColumnsPrinter) printOneO
}
for arrIx := range values {
for valIx := range values[arrIx] {
- valueStrings = append(valueStrings, fmt.Sprintf("%v", values[arrIx][valIx].Interface()))
+ valueStrings = append(valueStrings, printers.EscapeTerminal(fmt.Sprint(values[arrIx][valIx].Interface())))
}
}
columns[ix] = strings.Join(valueStrings, ",")
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn_test.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn_test.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn_test.go
@@ -313,6 +313,22 @@ foo baz
foo baz <none>
`,
},
+ {
+ columns: []Column{
+ {
+ Header: "NAME",
+ FieldSpec: "{.metadata.name}",
+ },
+ },
+ obj: &corev1.PodList{
+ Items: []corev1.Pod{
+ {ObjectMeta: metav1.ObjectMeta{Name: "\x1b \r"}},
+ },
+ },
+ expectedOutput: `NAME
+^[ \r
+`,
+ },
}
for _, test := range tests {
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/describe/describe.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe.go
@@ -65,6 +65,7 @@ import (
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/cli-runtime/pkg/genericclioptions"
+ "k8s.io/cli-runtime/pkg/printers"
runtimeresource "k8s.io/cli-runtime/pkg/resource"
"k8s.io/client-go/dynamic"
clientset "k8s.io/client-go/kubernetes"
@@ -148,11 +149,13 @@ func (pw *prefixWriter) Write(level int,
for i := 0; i < level; i++ {
prefix += levelSpace
}
- fmt.Fprintf(pw.out, prefix+format, a...)
+ output := fmt.Sprintf(prefix+format, a...)
+ printers.WriteEscaped(pw.out, output)
}
func (pw *prefixWriter) WriteLine(a ...interface{}) {
- fmt.Fprintln(pw.out, a...)
+ output := fmt.Sprintln(a...)
+ printers.WriteEscaped(pw.out, output)
}
func (pw *prefixWriter) Flush() {
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
@@ -5322,3 +5322,22 @@ func TestControllerRef(t *testing.T) {
t.Errorf("unexpected out: %s", out)
}
}
+
+func TestDescribeTerminalEscape(t *testing.T) {
+ fake := fake.NewSimpleClientset(&corev1.ConfigMap{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "mycm",
+ Namespace: "foo",
+ Annotations: map[string]string{"annotation1": "terminal escape: \x1b"},
+ },
+ })
+ c := &describeClient{T: t, Namespace: "foo", Interface: fake}
+ d := ConfigMapDescriber{c}
+ out, err := d.Describe("foo", "mycm", DescriberSettings{ShowEvents: true})
+ if err != nil {
+ t.Errorf("unexpected error: %v", err)
+ }
+ if strings.Contains(out, "\x1b") || !strings.Contains(out, "^[") {
+ t.Errorf("unexpected out: %s", out)
+ }
+}
Index: kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/events/events.go
===================================================================
--- kubernetes-1.24.17.orig/staging/src/k8s.io/kubectl/pkg/cmd/events/events.go
+++ kubernetes-1.24.17/staging/src/k8s.io/kubectl/pkg/cmd/events/events.go
@@ -284,10 +284,11 @@ func printOneEvent(w io.Writer, e corev1
}
fmt.Fprintf(w, "%s\t%s\t%s\t%s/%s\t%v\n",
interval,
- e.Type,
- e.Reason,
- e.InvolvedObject.Kind, e.InvolvedObject.Name,
- strings.TrimSpace(e.Message),
+ printers.EscapeTerminal(e.Type),
+ printers.EscapeTerminal(e.Reason),
+ printers.EscapeTerminal(e.InvolvedObject.Kind),
+ printers.EscapeTerminal(e.InvolvedObject.Name),
+ printers.EscapeTerminal(strings.TrimSpace(e.Message)),
)
}
