Fix escaping for LDAP creds in nfsv3driver job

julian-hj · julian-hj · commit 84dac3b4387f · 2020-08-26T16:24:53.000-07:00
- use single quotes to avoid bash interpretation of sequences like !$
- add quoting for apostrophe characters in strings
- add unit tests

Authored-by: Julian Hjortshoj &lt;hjortshojj@vmware.com&gt;

[#174504248] Improper quoting of LDAP service account credentials in BOSH scripts
diff --git a/jobs/nfsv3driver/templates/start.sh.erb b/jobs/nfsv3driver/templates/start.sh.erb
@@ -17,8 +17,8 @@ chown -R vcap:vcap $RUN_DIR
 echo $$ > $PIDFILE
 
 # ldap connection and credential info are passed via environment
-export LDAP_SVC_USER="<%= p("nfsv3driver.ldap_svc_user") %>"
-export LDAP_SVC_PASS="<%= p("nfsv3driver.ldap_svc_password") %>"
+export LDAP_SVC_USER='<%= p("nfsv3driver.ldap_svc_user").gsub("'", "'\"'\"'") %>'
+export LDAP_SVC_PASS='<%= p("nfsv3driver.ldap_svc_password").gsub("'", "'\"'\"'") %>'
 export LDAP_HOST="<%= p("nfsv3driver.ldap_host") %>"
 export LDAP_PORT="<%= p("nfsv3driver.ldap_port") %>"
 export LDAP_PROTO="<%= p("nfsv3driver.ldap_proto") %>"
diff --git a/spec/jobs/nfsv3driver/start_sh_spec.rb b/spec/jobs/nfsv3driver/start_sh_spec.rb
@@ -52,8 +52,8 @@
         it 'sets the allowedOptions flag correctly' do
           tpl_output = template.render(manifest_properties, consumes: mapfs_link)
 
-          expect(tpl_output).to include("export LDAP_SVC_USER=\"service-user\"")
-          expect(tpl_output).to include("export LDAP_SVC_PASS=\"service-password\"")
+          expect(tpl_output).to include("export LDAP_SVC_USER='service-user'")
+          expect(tpl_output).to include("export LDAP_SVC_PASS='service-password'")
           expect(tpl_output).to include("export LDAP_HOST=\"some-host\"")
           expect(tpl_output).to include("export LDAP_PORT=\"1234\"")
           expect(tpl_output).to include("export LDAP_PROTO=\"udp\"")
@@ -62,6 +62,28 @@
         end
       end
 
+      context 'when ldap properties contain bash special characters' do
+        let(:manifest_properties) do
+          {
+            "nfsv3driver" => {
+              "ldap_svc_user" => "Patrick O'Malley",
+              "ldap_svc_password" => "!que&pasa!${xxx}$?",
+              "ldap_host" => "some-host",
+              "ldap_port" => 1234,
+              "ldap_proto" => "udp",
+              "ldap_user_fqdn" => "cn=Users,dc=corp,dc=test,dc=com",
+              "ldap_ca_cert" => "some-ca-cert",
+            }
+          }
+        end
+
+        it 'escapes the properties correctly' do
+          tpl_output = template.render(manifest_properties, consumes: mapfs_link)
+
+          expect(tpl_output).to include("export LDAP_SVC_USER='Patrick O'\"'\"'Malley'")
+          expect(tpl_output).to include("export LDAP_SVC_PASS='!que&pasa!${xxx}$?'")
+        end
+      end
     context 'when configured with ldap with a null ca cert' do
       let(:manifest_properties) do
         {
