From 60356d6b1096407ed9cd71cf519ac2a381bedee4 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Fri, 27 Sep 2024 08:30:06 +0200 Subject: [PATCH] [plugins] Obfuscate http URL credentials HTTP_PROXY or similar env.variables can contain credentials we must scrub. The variables or directly credentials of a http(s) URL can be specified in several places the commit deals with. Futher, update apt plugin to use the new do_paths_httpp_sub method. Resolves: #3789 Signed-off-by: Pavel Moravec --- sos/report/plugins/__init__.py | 15 +++++++++++++++ sos/report/plugins/anaconda.py | 9 +++++---- sos/report/plugins/apt.py | 12 ++---------- sos/report/plugins/system.py | 6 ++++++ sos/report/plugins/systemd.py | 7 +++++++ 5 files changed, 35 insertions(+), 14 deletions(-) diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py index f88f0c0d26..9b54c68a12 100644 --- a/sos/report/plugins/__init__.py +++ b/sos/report/plugins/__init__.py @@ -1313,6 +1313,21 @@ def do_file_sub(self, srcpath, regexp, subst): replacements = 0 return replacements + def do_paths_http_sub(self, pathspecs): + """ Obfuscate credentials in *_PROXY variables in all files in the + given list. Proxy setting without protocol is ignored, since that + is not recommended setting and obfuscating that one can hit false + positives. + + :param pathspecs: A filepath to obfuscate credentials in + :type pathspecs: ``str`` or a ``list`` of strings + """ + if isinstance(pathspecs, str): + pathspecs = [pathspecs] + for path in pathspecs: + self.do_path_regex_sub( + path, r"(http(s)?://)\S+:\S+(@.*)", r"\1******:******\3") + def do_path_regex_sub(self, pathexp, regexp, subst): """Apply a regexp substituation to a set of files archived by sos. The set of files to be substituted is generated by matching diff --git a/sos/report/plugins/anaconda.py b/sos/report/plugins/anaconda.py index 78577d3f7e..77f54d650a 100644 --- a/sos/report/plugins/anaconda.py +++ b/sos/report/plugins/anaconda.py @@ -24,21 +24,21 @@ class Anaconda(Plugin, RedHatPlugin): def setup(self): - paths = [ + self.copypaths = [ "/root/anaconda-ks.cfg" ] if self.path_isdir('/var/log/anaconda'): # new anaconda - paths.append('/var/log/anaconda') + self.copypaths.append('/var/log/anaconda') else: - paths = paths + [ + self.copypaths = self.copypaths + [ "/var/log/anaconda.*", "/root/install.log", "/root/install.log.syslog" ] - self.add_copy_spec(paths) + self.add_copy_spec(self.copypaths) def postproc(self): self.do_file_sub( @@ -51,5 +51,6 @@ def postproc(self): r"(user.*--password=*\s*)\s*(\S*)", r"\1********" ) + self.do_paths_http_sub(self.copypaths) # vim: set et ts=4 sw=4 : diff --git a/sos/report/plugins/apt.py b/sos/report/plugins/apt.py index 857a11b6fe..464cfb983f 100644 --- a/sos/report/plugins/apt.py +++ b/sos/report/plugins/apt.py @@ -48,19 +48,11 @@ def setup(self): def postproc(self): super().postproc() - common_regex = r"(http(s)?://)\S+:\S+(@.*)" - common_replace = r"\1******:******\3" - - files_to_sub = [ + self.do_paths_http_sub([ "/etc/apt/sources.list", "/etc/apt/sources.list.d/", "/etc/apt/apt.conf", "/etc/apt/apt.conf.d/", - ] - - for file in files_to_sub: - self.do_path_regex_sub( - file, common_regex, common_replace - ) + ]) # vim: set et ts=4 sw=4 : diff --git a/sos/report/plugins/system.py b/sos/report/plugins/system.py index cc282dc1bb..fcba116162 100644 --- a/sos/report/plugins/system.py +++ b/sos/report/plugins/system.py @@ -40,5 +40,11 @@ def setup(self): "ld.so --list-tunables" ]) + def postproc(self): + self.do_paths_http_sub([ + "/etc/sysconfig", + "/etc/default", + "/etc/environment", + ]) # vim: set et ts=4 sw=4 : diff --git a/sos/report/plugins/systemd.py b/sos/report/plugins/systemd.py index a50a155e36..b23b32febc 100644 --- a/sos/report/plugins/systemd.py +++ b/sos/report/plugins/systemd.py @@ -95,4 +95,11 @@ def setup(self): ]) self.add_forbidden_path('/dev/null') + def postproc(self): + self.do_paths_http_sub([ + "/etc/systemd/system", + "/lib/systemd/system", + "/run/systemd/system", + ]) + # vim: set et ts=4 sw=4 :