From 0416746eeda0dc06d7125c9d84916e3a8473be9e Mon Sep 17 00:00:00 2001 From: Ash-exp Date: Mon, 18 Dec 2023 18:05:24 +0530 Subject: [PATCH] feat: Password sanitization --- internal/step-lib/util/cli-util/sanitizeParam.go | 8 ++++++++ pkg/security/ImageScanService.go | 16 ++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) create mode 100644 internal/step-lib/util/cli-util/sanitizeParam.go diff --git a/internal/step-lib/util/cli-util/sanitizeParam.go b/internal/step-lib/util/cli-util/sanitizeParam.go new file mode 100644 index 00000000..28fe4d12 --- /dev/null +++ b/internal/step-lib/util/cli-util/sanitizeParam.go @@ -0,0 +1,8 @@ +package cli_util + +import "fmt" + +// SanitizeCliParam is used where we are directly injecting the user defined params to any CLI commands. This prevents any script injection to the running env +func SanitizeCliParam(param string) string { + return fmt.Sprintf("%q", param) +} diff --git a/pkg/security/ImageScanService.go b/pkg/security/ImageScanService.go index 845973a7..3ec0e5d1 100644 --- a/pkg/security/ImageScanService.go +++ b/pkg/security/ImageScanService.go @@ -536,14 +536,14 @@ func (impl *ImageScanServiceImpl) RenderInputDataForAStep(inputPayloadTmpl strin } } //entering imageScanRenderData in above json map; TODO: update this to some other logic to handle more fields in future - jsonMap[common.AWSSecretAccessKey] = imageScanRenderDto.AWSSecretAccessKey - jsonMap[common.AWSAccessKeyId] = imageScanRenderDto.AWSAccessKeyId - jsonMap[common.AWSRegion] = imageScanRenderDto.AWSRegion - jsonMap[common.Username] = imageScanRenderDto.Username - jsonMap[common.Password] = imageScanRenderDto.Password - jsonMap[common.GCR_FILE_PATH] = toolExecutionDirectoryPath - jsonMap[common.IMAGE_NAME] = imageScanRenderDto.Image - jsonMap[common.OUTPUT_FILE_PATH] = imageScanRenderDto.OutputFilePath + jsonMap[common.AWSSecretAccessKey] = cliUtil.SanitizeCliParam(imageScanRenderDto.AWSSecretAccessKey) + jsonMap[common.AWSAccessKeyId] = cliUtil.SanitizeCliParam(imageScanRenderDto.AWSAccessKeyId) + jsonMap[common.AWSRegion] = cliUtil.SanitizeCliParam(imageScanRenderDto.AWSRegion) + jsonMap[common.Username] = cliUtil.SanitizeCliParam(imageScanRenderDto.Username) + jsonMap[common.Password] = cliUtil.SanitizeCliParam(imageScanRenderDto.Password) + jsonMap[common.GCR_FILE_PATH] = cliUtil.SanitizeCliParam(toolExecutionDirectoryPath) + jsonMap[common.IMAGE_NAME] = cliUtil.SanitizeCliParam(imageScanRenderDto.Image) + jsonMap[common.OUTPUT_FILE_PATH] = cliUtil.SanitizeCliParam(imageScanRenderDto.OutputFilePath) for key, val := range metaDataMap { jsonMap[key] = val