From 4adc923cfaf25142aa4cbb909d65c0f3a999cc02 Mon Sep 17 00:00:00 2001 From: zhongtao Date: Tue, 29 Aug 2023 11:41:26 +0800 Subject: [PATCH 19/33] remove password in url module and clean sensitive info in struct passwd Signed-off-by: zhongtao --- .../modules/image/image_rootfs_handler.c | 13 +- src/utils/cpputils/url.cc | 144 +----------------- src/utils/cpputils/url.h | 19 +-- 3 files changed, 15 insertions(+), 161 deletions(-) diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c index 1a3f4307..a8036ab9 100644 --- a/src/daemon/modules/image/image_rootfs_handler.c +++ b/src/daemon/modules/image/image_rootfs_handler.c @@ -85,6 +85,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * char buf[BUFSIZ] = { 0 }; struct passwd pw; struct passwd *pwbufp = NULL; + int ret = -1; if (f_passwd != NULL) { #if defined (__ANDROID__) || defined(__MUSL__) @@ -116,7 +117,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * if (errval != 0 && errval != ENOENT) { ERROR("Failed to parse passwd file: Insufficient buffer space supplied"); isulad_set_error_message("Failed to parse passwd file: Insufficient buffer space supplied"); - return -1; + goto out; } if (!userfound && user != NULL) { int uret = util_safe_llong(user, &n_user); @@ -124,16 +125,20 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * if (uret != 0) { ERROR("Unable to find user '%s'", user); isulad_set_error_message("Unable to find user '%s': no matching entries in passwd file", user); - return -1; + goto out; } if (n_user < MINUID || n_user > MAXUID) { uids_gids_range_err_log(); - return -1; + goto out; } puser->uid = (uid_t)n_user; } + ret = 0; - return 0; +out: + memset(buf, 0, sizeof(buf)); + memset(pwbufp, 0, sizeof(struct passwd)); + return ret; } static int append_additional_gids(gid_t gid, gid_t **additional_gids, size_t *len) diff --git a/src/utils/cpputils/url.cc b/src/utils/cpputils/url.cc index 117eba7e..baaded07 100644 --- a/src/utils/cpputils/url.cc +++ b/src/utils/cpputils/url.cc @@ -266,12 +266,7 @@ std::string Escape(const std::string &s, const EncodeMode &mode) UserInfo *User(const std::string &username) noexcept { - return new UserInfo { username, "", false }; -} - -UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept -{ - return new UserInfo { username, password, true }; + return new UserInfo { username }; } int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path) @@ -324,24 +319,6 @@ void Split(const std::string &s, const std::string &c, bool cutc, std::string &t u = s.substr(i, s.size()); } -URLDatum *Parse(const std::string &rawurl) -{ - std::string u, frag; - Split(rawurl, "#", true, u, frag); - auto *url = Parse(u, false); - if (url == nullptr) { - return nullptr; - } - if (frag.empty()) { - return url; - } - url->SetFragment(Unescape(frag, EncodeMode::ENCODE_FRAGMENT)); - if (url->GetFragment().empty()) { - return nullptr; - } - return url; -} - int SplitOffPossibleLeading(std::string &scheme, const std::string &rawurl, URLDatum *url, std::string &rest) { if (Getscheme(rawurl, scheme, rest) != 0) { @@ -385,108 +362,6 @@ URLDatum *HandleNonBackslashPrefix(URLDatum *url, const std::string &scheme, con return nullptr; } -int SetURLDatumInfo(URLDatum *url, const std::string &scheme, bool viaRequest, std::string &rest) -{ - if ((!scheme.empty() || (!viaRequest && rest.substr(0, 3) == "///")) && rest.substr(0, 2) == "//") { - std::string authority; - Split(rest.substr(2, rest.size()), "/", false, authority, rest); - std::string host = url->GetHost(); - UserInfo *user = url->GetUser(); - if (ParseAuthority(authority, &user, host)) { - return -1; - } - url->SetHost(host); - url->SetUser(user); - } - if (url->SetPath(rest)) { - return -1; - } - url->SetScheme(scheme); - return 0; -} - -URLDatum *Parse(const std::string &rawurl, bool viaRequest) -{ - if (rawurl.empty() && viaRequest) { - ERROR("empty url!"); - return nullptr; - } - auto *url = new (std::nothrow) URLDatum; - if (url == nullptr) { - ERROR("Out of memory"); - return nullptr; - } - if (rawurl == "*") { - url->SetPathWithoutEscape("*"); - return url; - } - std::string scheme = url->GetScheme(); - std::string rest; - if (SplitOffPossibleLeading(scheme, rawurl, url, rest) != 0) { - return nullptr; - } - bool shouldRet = false; - auto *tmpret = HandleNonBackslashPrefix(url, scheme, rest, viaRequest, shouldRet); - if (shouldRet) { - return tmpret; - } - if (SetURLDatumInfo(url, scheme, viaRequest, rest) != 0) { - return nullptr; - } - return url; -} - -int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host) -{ - size_t i = authority.find("@"); - if (i == std::string::npos) { - if (ParseHost(authority, host) != 0) { - *user = nullptr; - host = ""; - return -1; - } - } else { - if (ParseHost(authority.substr(i + 1, authority.size()), host) != 0) { - *user = nullptr; - host = ""; - return -1; - } - } - if (i == std::string::npos) { - *user = nullptr; - return 0; - } - - std::string userinfo = authority.substr(0, i); - if (!ValidUserinfo(userinfo)) { - *user = nullptr; - host = ""; - ERROR("net/url: invalid userinfo"); - return -1; - } - if (userinfo.find(":") == std::string::npos) { - userinfo = Unescape(userinfo, EncodeMode::ENCODE_USER_PASSWORD); - if (userinfo.empty()) { - *user = nullptr; - host = ""; - return -1; - } - *user = User(userinfo); - } else { - std::string servername, serverword; - Split(userinfo, ":", true, servername, serverword); - servername = Unescape(servername, EncodeMode::ENCODE_USER_PASSWORD); - serverword = Unescape(serverword, EncodeMode::ENCODE_USER_PASSWORD); - if (servername.empty() || serverword.empty()) { - *user = nullptr; - host = ""; - return -1; - } - *user = UserPassword(servername, serverword); - } - return 0; -} - int ParseHost(std::string host, std::string &out) { if (host.at(0) == '[') { @@ -756,9 +631,6 @@ std::string UserInfo::String() const std::string s; if (!m_username.empty()) { s = Escape(m_username, EncodeMode::ENCODE_USER_PASSWORD); - if (m_passwordSet) { - s += ":" + Escape(m_password, EncodeMode::ENCODE_USER_PASSWORD); - } } return s; } @@ -766,11 +638,6 @@ std::string UserInfo::Username() const { return m_username; } -std::string UserInfo::Password(bool &set) const -{ - set = m_passwordSet; - return m_password; -} URLDatum::~URLDatum() { @@ -860,15 +727,6 @@ bool URLDatum::IsAbs() const return (m_scheme != ""); } -std::unique_ptr URLDatum::UrlParse(const std::string &ref) -{ - auto *refurl = Parse(ref); - if (refurl == nullptr) { - return nullptr; - } - return ResolveReference(refurl); -} - std::unique_ptr URLDatum::ResolveReference(URLDatum *ref) { std::unique_ptr url(new (std::nothrow) URLDatum(*ref)); diff --git a/src/utils/cpputils/url.h b/src/utils/cpputils/url.h index abbf20f4..3dd40079 100644 --- a/src/utils/cpputils/url.h +++ b/src/utils/cpputils/url.h @@ -49,17 +49,13 @@ private: class UserInfo { public: - UserInfo(const std::string &u, const std::string &p, bool b) : m_username(u), m_password(p), - m_passwordSet(b) {} + UserInfo(const std::string &u) : m_username(u) {} ~UserInfo() = default; std::string String() const; std::string Username() const; - std::string Password(bool &set) const; private: std::string m_username; - std::string m_password; - bool m_passwordSet; }; class URLDatum { @@ -69,7 +65,6 @@ public: std::string EscapedPath(); std::string String(); bool IsAbs() const; - std::unique_ptr UrlParse(const std::string &ref); std::unique_ptr ResolveReference(URLDatum *ref); auto Query()->std::map>; std::string RequestURI(); @@ -88,7 +83,7 @@ public: { m_opaque = value; } - std::string GetOpaque() const + std::string GetOpaque() const { return m_opaque; } @@ -96,7 +91,7 @@ public: { m_user = value; } - UserInfo *GetUser() const + UserInfo *GetUser() const { return m_user; } @@ -128,7 +123,7 @@ public: { m_rawQuery = value; } - std::string GetRawQuery() const + std::string GetRawQuery() const { return m_rawQuery; } @@ -136,7 +131,7 @@ public: { m_fragment = value; } - std::string GetFragment() const + std::string GetFragment() const { return m_fragment; } @@ -163,13 +158,9 @@ std::string QueryUnescape(const std::string &s); std::string Unescape(std::string s, const EncodeMode &mode); std::string QueryEscape(const std::string &s); std::string Escape(const std::string &s, const EncodeMode &mode); -UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept; UserInfo *User(const std::string &username) noexcept; int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path); void Split(const std::string &s, const std::string &c, bool cutc, std::string &t, std::string &u); -URLDatum *Parse(const std::string &rawurl); -URLDatum *Parse(const std::string &rawurl, bool viaRequest); -int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host); int ParseHost(std::string host, std::string &out); bool ValidEncodedPath(const std::string &s); bool ValidOptionalPort(const std::string &port); -- 2.40.1