[sos_extras] Allow obfuscation in sos_extras configs

Resolves: #3768 Signed-off-by: Pavel Moravec <[email protected]>
sosreport · Sep 3, 2024 · 3056602 · 3056602
1 parent 3886534
commit 3056602
Showing 1 changed file with 35 additions and 3 deletions.
diff --git a/sos/report/plugins/sos_extras.py b/sos/report/plugins/sos_extras.py
@@ -19,22 +19,30 @@ class SosExtras(Plugin, IndependentPlugin):
     it executes commands or collects files optionally with sizelimit. Expected
     content of a file:
     - empty lines or those starting with '#' are ignored
-    - add_copy_spec called to lines starting by ':', optionally followed by
-      sizelimit
+    - lines starting by ':' are treated as files to copy, optionally followed
+      by sizelimit
+    - lines starting by '*' are treated as obfuscation of a secret (postproc)
+      - if ':' follows, files will search given RE and replace by given RE
+        string, by calling do_path_regex_sub method
+      - otherwise, command output will be obfuscated (given RE to be replaced
+        by given RE string by calling do_cmd_output_sub)
     - otherwise, whole line will be executed as a command.
     Example:
     command1 --arg1 val1
     command2
     :/path/to/file
     :/path/to/files* sizelimit
+    *command1 password=.+ \1********
+    *:/path/to/files(.*) pass:\\s*(.*) \1********
 
     WARNING: be careful what files to collect or what commands to execute:
     - prevent calling potentially dangerous or system altering commands, like:
       - using multiple commands on a line (via pipes, semicolon etc.)
       - executing commands on background
       - setting env.variables (as those will be ignored)
       - altering a system (not only by "rm -rf")
-    - be aware, no secret obfuscation is made
+    - be aware, you are responsible for secret obfuscation
+    - globs to obfuscate secrets in files are RE globs, not bash globs!
     """
 
     plugin_name = "sos_extras"
@@ -44,6 +52,9 @@ class SosExtras(Plugin, IndependentPlugin):
     files = (extras_dir,)
 
     def setup(self):
+        self.path_regex_subs = []
+        self.cmd_output_subs = []
+
         try:
             st_res = os.stat(self.extras_dir)
             if (st_res.st_uid != 0) or (st_res.st_mode & stat.S_IWGRP) or \
@@ -81,11 +92,32 @@ def setup(self):
                                         )
                                 self.add_copy_spec(words[0][1:],
                                                    sizelimit=limit)
+                            elif line.startswith('*'):
+                                words = line.split()
+                                if len(words) != 3:
+                                    self._log_warn(
+                                        f"Invalid obfuscation syntax on line "
+                                        f"{line}, ignoring!!!"
+                                    )
+                                if words[0][1] == ':':
+                                    self.path_regex_subs.append(
+                                        (words[0][2:], words[1], words[2])
+                                    )
+                                else:
+                                    self.cmd_output_subs.append(
+                                        (words[0][1:], words[1], words[2])
+                                    )
                             else:
                                 # command to execute
                                 self.add_cmd_output(line, subdir=file)
 
                 except IOError:
                     self._log_warn(f"unable to read extras file {_file}")
 
+    def postproc(self):
+        for path, regexp, subst in self.path_regex_subs:
+            self.do_path_regex_sub(rf'{path}', rf'{regexp}', rf'{subst}')
+        for cmd, regexp, subst in self.cmd_output_subs:
+            self.do_cmd_output_sub(rf'{cmd}', rf'{regexp}', rf'{subst}')
+
 # vim: set et ts=4 sw=4 :