Escape terminal special characters in kubectl #112553
Conversation
k8s-ci-robot
added
release-note
|
Welcome @dgl! |
k8s-ci-robot
added
needs-ok-to-test
|
Hi @dgl. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
area/kubectl
sig/cli
|
/sig cli |
k8s-ci-robot
added
the
sig/security
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/assign @soltysh |
k8s-ci-robot
added
the
lgtm
| if truncated { | ||
| fmt.Fprint(output, "...") | ||
| } | ||
| default: | ||
| fmt.Fprint(output, val) | ||
| WriteEscaped(output, fmt.Sprint(val)) |
There was a problem hiding this comment.
Sorry, I'm not fully aware of the context of this change. Why we are fmt.Sprint(val)?
There was a problem hiding this comment.
It's to get val into a string (i.e. via Stringer or the rules fmt uses), it made sense to me to make the new WriteEscaped take a string, rather than put the formatting over there, which might not match all caller's expectations.
| e.Reason, | ||
| e.InvolvedObject.Kind, e.InvolvedObject.Name, | ||
| strings.TrimSpace(e.Message), | ||
| printers.EscapeTerminal(e.Type), |
There was a problem hiding this comment.
Aren't events only generated by kubernetes itself?, how user can generate events needed to be escaped?
There was a problem hiding this comment.
See the kubectl create command mentioned in #101695 (comment) -- it's possible for a user (with enough permission against say a namespace) to do this, which could then be viewed by an admin or other user.
It might also be possible to get a \x1B into an error message that an operator or other component ends up putting into an event -- it doesn't make sense that every component should have to consider terminal escaping that is only relevant to kubectl (in the same way HTML escaping is usually done by the component that renders the HTML).
| @@ -148,11 +149,13 @@ func (pw *prefixWriter) Write(level int, format string, a ...interface{}) { | |||
| for i := 0; i < level; i++ { | |||
| prefix += levelSpace | |||
| } | |||
| fmt.Fprintf(pw.out, prefix+format, a...) | |||
| output := fmt.Sprintf(prefix+format, a...) | |||
There was a problem hiding this comment.
fmt.Sprintf automatically escapes special characters?
There was a problem hiding this comment.
This formats it into a string, where WriteEscaped on the next line does that.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dgl, pacoxu, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/labe tide/merge-method-squash |
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
/retest |
|
Will this fix be available in 1.25 and 1.24? I tried to find relevant guidance in the Kubernetes security documentation but did not see anything. thanks |
* Escape terminal special characters in kubectl * Add escaping for kubectl alpha events
Fixes #101695.
What type of PR is this?
/kind bug
What this PR does / why we need it:
Escapes terminal special characters in kubectl output. These can be used to confuse the user of kubectl, or potentially more serious attacks if their terminal emulator has a bug, as mentioned in the related issue.
Which issue(s) this PR fixes:
Fixes #101695
Special notes for your reviewer:
I've covered:
kubectl get(default table view)kubectl get events -o custom-columns=message:".message"kubectl describekubectl alpha eventsWhich I believe covers the original report along with the follow-up mentioned in #107617. Additionally I've confirmed that
kubectl get -o jsonandkubectl get -o yamlperform their own escaping.In addition to the original report I noticed that
\ris allowed in various contexts, which can be used to replace the current line, and therefore still trick a user, so that is also escaped.There are some cases which will not be covered, e.g. users using
-o template=..., this is harder to fix as the user could be expecting to parse these outputs and ad-hoc human readable escaping may not be suitable. I believe these are less of a concern as the main commands are covered (we could consider detecting if the tty is a terminal or not, as done in some places in kubectl already, but then there are still issues, e.g. a user piping to grep).Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: