From 30566028553be8466cce23587a066159acbbf42e Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Sun, 1 Sep 2024 15:59:59 +0200 Subject: [PATCH] [sos_extras] Allow obfuscation in sos_extras configs Resolves: #3768 Signed-off-by: Pavel Moravec --- sos/report/plugins/sos_extras.py | 38 +++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/sos/report/plugins/sos_extras.py b/sos/report/plugins/sos_extras.py index 7ccbadcdc..83e9fb4ec 100644 --- a/sos/report/plugins/sos_extras.py +++ b/sos/report/plugins/sos_extras.py @@ -19,14 +19,21 @@ class SosExtras(Plugin, IndependentPlugin): it executes commands or collects files optionally with sizelimit. Expected content of a file: - empty lines or those starting with '#' are ignored - - add_copy_spec called to lines starting by ':', optionally followed by - sizelimit + - lines starting by ':' are treated as files to copy, optionally followed + by sizelimit + - lines starting by '*' are treated as obfuscation of a secret (postproc) + - if ':' follows, files will search given RE and replace by given RE + string, by calling do_path_regex_sub method + - otherwise, command output will be obfuscated (given RE to be replaced + by given RE string by calling do_cmd_output_sub) - otherwise, whole line will be executed as a command. Example: command1 --arg1 val1 command2 :/path/to/file :/path/to/files* sizelimit + *command1 password=.+ \1******** + *:/path/to/files(.*) pass:\\s*(.*) \1******** WARNING: be careful what files to collect or what commands to execute: - prevent calling potentially dangerous or system altering commands, like: @@ -34,7 +41,8 @@ class SosExtras(Plugin, IndependentPlugin): - executing commands on background - setting env.variables (as those will be ignored) - altering a system (not only by "rm -rf") - - be aware, no secret obfuscation is made + - be aware, you are responsible for secret obfuscation + - globs to obfuscate secrets in files are RE globs, not bash globs! """ plugin_name = "sos_extras" @@ -44,6 +52,9 @@ class SosExtras(Plugin, IndependentPlugin): files = (extras_dir,) def setup(self): + self.path_regex_subs = [] + self.cmd_output_subs = [] + try: st_res = os.stat(self.extras_dir) if (st_res.st_uid != 0) or (st_res.st_mode & stat.S_IWGRP) or \ @@ -81,6 +92,21 @@ def setup(self): ) self.add_copy_spec(words[0][1:], sizelimit=limit) + elif line.startswith('*'): + words = line.split() + if len(words) != 3: + self._log_warn( + f"Invalid obfuscation syntax on line " + f"{line}, ignoring!!!" + ) + if words[0][1] == ':': + self.path_regex_subs.append( + (words[0][2:], words[1], words[2]) + ) + else: + self.cmd_output_subs.append( + (words[0][1:], words[1], words[2]) + ) else: # command to execute self.add_cmd_output(line, subdir=file) @@ -88,4 +114,10 @@ def setup(self): except IOError: self._log_warn(f"unable to read extras file {_file}") + def postproc(self): + for path, regexp, subst in self.path_regex_subs: + self.do_path_regex_sub(rf'{path}', rf'{regexp}', rf'{subst}') + for cmd, regexp, subst in self.cmd_output_subs: + self.do_cmd_output_sub(rf'{cmd}', rf'{regexp}', rf'{subst}') + # vim: set et ts=4 sw=4 :