Commit 183f2e76 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Escape whole command-line for re6st-optimal-test

Thank to escaping whole command-line it is possible to process buildout
dangerous strings, like ${section:option}, pass them to the wrapper,
instead of killing the whole profile processing.
parent 07a97c31
......@@ -282,9 +282,10 @@ wrapper-path = {{ promise_directory }}/${:filename}
{% if re6st_ipv6 and re6st_ipv4 %}
{% set re6st_optimal_test_section_title = 'check-%s-re6st-optimal-test' % slave_instance.get('slave_reference') %}
{% do part_list.append(re6st_optimal_test_section_title) %}
[{{ re6st_optimal_test_section_title }}]
recipe = slapos.cookbook:wrapper
command-line = {{ bin_directory }}/check-re6st-optimal-status -4 {{re6st_ipv4}} -6 {{re6st_ipv6}}
command-line = {{ dumps(bin_directory ~ '/check-re6st-optimal-status -4 ' ~ re6st_ipv4 ~ ' -6 ' ~ re6st_ipv6) }}
filename = {{ re6st_optimal_test_section_title }}
wrapper-path = {{ promise_directory }}/${:filename}
{% endif %}
......
......@@ -3032,8 +3032,56 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
're6st-optimal-test-nocomma': {
're6st-optimal-test': 'nocomma',
},
're6st-optimal-test-unsafe': {
're6st-optimal-test':
'new\nline;rm -fr ~;,new\line\n[s${esection:eoption}',
},
}
def test_re6st_optimal_test_unsafe(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
're6st-optimal-test-unsafe']
self.assertLogAccessUrlWithPop(parameter_dict, 're6st-optimal-test-unsafe')
self.assertEqual(
parameter_dict,
{
'domain': 're6stoptimaltestunsafe.example.com',
'replication_number': '1',
'url': 'http://re6stoptimaltestunsafe.example.com',
'site_url': 'http://re6stoptimaltestunsafe.example.com',
'secure_access': 'https://re6stoptimaltestunsafe.example.com',
'public-ipv4': LOCAL_IPV4,
}
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
der2pem(result.peercert),
open('wildcard.example.com.crt').read())
self.assertEqual(result.status_code, no_backend_response_code)
# rewrite SR/bin/is-icmp-packet-lost
open(
os.path.join(
self.software_path, 'bin', 'check-re6st-optimal-status'), 'w'
).write('echo "$@"')
# call the monitor for this partition
monitor_file = glob.glob(
os.path.join(
self.instance_path, '*', 'etc', 'monitor-promise',
'check-_re6st-optimal-test-unsafe-re6st-optimal-test'))[0]
# Note: The result is a bit differnt from the request (newlines stripped),
# but good enough to prove, that ${esection:eoption} has been
# correctly passed to the script.
self.assertEqual(
'-4 newline [s${esection:eoption} -6 new line;rm -fr ~;',
subprocess.check_output(monitor_file).strip()
)
def test_re6st_optimal_test_nocomma(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
're6st-optimal-test-nocomma']
......
......@@ -3,6 +3,8 @@ TestSlaveBadParameters-1/var/log/frontend-access.log
TestSlaveBadParameters-1/var/log/frontend-error.log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_access_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_error_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_access_log
TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_error_log
TestSlaveBadParameters-1/var/log/monitor-httpd-error.log
TestSlaveBadParameters-1/var/log/nginx-access.log
TestSlaveBadParameters-1/var/log/nginx-error.log
......
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-error-log-last-hour
\ No newline at end of file
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-error-log-last-hour
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-day
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-hour
TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-re6st-optimal-test
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment