Skip to content

Commit

Permalink
join_tokens: Move shell quote to getJoinScript rather than where pa…
Browse files Browse the repository at this point in the history 
…rameters are extracted

This will increase safety moving forward, but it requires a more conservative quoting strategy.
  • Loading branch information
@jentfoo
jentfoo committed Mar 25, 2024
1 parent 89f5d80 commit 6b49943
Showing 1 changed file with 17 additions and 17 deletions.
34 changes: 17 additions & 17 deletions lib/web/join_tokens.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,11 +237,11 @@ func (h *Handler) getNodeJoinScriptHandle(w http.ResponseWriter, r *http.Request
}

settings := scriptSettings{
token: utils.UnixShellQuote(params.ByName("token")),
token: params.ByName("token"),
appInstallMode: false,
joinMethod: utils.UnixShellQuote(r.URL.Query().Get("method")),
joinMethod: r.URL.Query().Get("method"),
installUpdater: autoUpgrades,
automaticUpgradesVersion: utils.UnixShellQuote(autoUpgradesVersion),
automaticUpgradesVersion: autoUpgradesVersion,
}

script, err := getJoinScript(r.Context(), settings, h.GetProxyClient())
Expand Down Expand Up @@ -285,12 +285,12 @@ func (h *Handler) getAppJoinScriptHandle(w http.ResponseWriter, r *http.Request,
}

settings := scriptSettings{
token: utils.UnixShellQuote(params.ByName("token")),
token: params.ByName("token"),
appInstallMode: true,
appName: utils.UnixShellQuote(name),
appURI: utils.UnixShellQuote(uri),
appName: name,
appURI: uri,
installUpdater: autoUpgrades,
automaticUpgradesVersion: utils.UnixShellQuote(autoUpgradesVersion),
automaticUpgradesVersion: autoUpgradesVersion,
}

script, err := getJoinScript(r.Context(), settings, h.GetProxyClient())
Expand Down Expand Up @@ -319,10 +319,10 @@ func (h *Handler) getDatabaseJoinScriptHandle(w http.ResponseWriter, r *http.Req
}

settings := scriptSettings{
token: utils.UnixShellQuote(params.ByName("token")),
token: params.ByName("token"),
databaseInstallMode: true,
installUpdater: autoUpgrades,
automaticUpgradesVersion: utils.UnixShellQuote(autoUpgradesVersion),
automaticUpgradesVersion: autoUpgradesVersion,
}

script, err := getJoinScript(r.Context(), settings, h.GetProxyClient())
Expand Down Expand Up @@ -365,11 +365,11 @@ func (h *Handler) getDiscoveryJoinScriptHandle(w http.ResponseWriter, r *http.Re
}

settings := scriptSettings{
token: utils.UnixShellQuote(params.ByName("token")),
token: params.ByName("token"),
discoveryInstallMode: true,
discoveryGroup: utils.UnixShellQuote(discoveryGroup),
discoveryGroup: discoveryGroup,
installUpdater: autoUpgrades,
automaticUpgradesVersion: utils.UnixShellQuote(autoUpgradesVersion),
automaticUpgradesVersion: autoUpgradesVersion,
}

script, err := getJoinScript(r.Context(), settings, h.GetProxyClient())
Expand Down Expand Up @@ -510,16 +510,16 @@ func getJoinScript(ctx context.Context, settings scriptSettings, m nodeAPIGetter
"packageName": packageName,
"repoChannel": repoChannel,
"installUpdater": strconv.FormatBool(settings.installUpdater),
"version": version,
"version": utils.UnixShellQuote(version),
"appInstallMode": strconv.FormatBool(settings.appInstallMode),
"appName": settings.appName,
"appURI": settings.appURI,
"joinMethod": settings.joinMethod,
"appName": utils.UnixShellQuote(settings.appName),
"appURI": utils.UnixShellQuote(settings.appURI),
"joinMethod": utils.UnixShellQuote(settings.joinMethod),
"labels": strings.Join(labelsList, ","),
"databaseInstallMode": strconv.FormatBool(settings.databaseInstallMode),
"db_service_resource_labels": dbServiceResourceLabels,
"discoveryInstallMode": settings.discoveryInstallMode,
"discoveryGroup": settings.discoveryGroup,
"discoveryGroup": utils.UnixShellQuote(settings.discoveryGroup),
})
if err != nil {
return "", trace.Wrap(err)
Expand Down

0 comments on commit 6b49943

Please sign in to comment.