mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
volume: mask password in cifs mount error messages
In managed environment (such as Nomad clusters), users are not always supposed to see credentials used to mount volumes. However, if errors occur (most commonly, misspelled mount paths), the error messages will output the full mount command -- which might contain a username and a password in the case of CIFS mounts. This PR detects password=... when error messages are wrapped and masks them with ********. Closes https://github.com/fsouza/go-dockerclient/issues/905. Closes https://github.com/hashicorp/nomad/issues/12296. Closes https://github.com/moby/moby/issues/43596. Signed-off-by: Sebastian Höffner <sebastian.hoeffner@mevis.fraunhofer.de>
This commit is contained in:
parent
f1dd6bf84e
commit
9a7298a3e6
3 changed files with 36 additions and 0 deletions
|
@ -366,3 +366,15 @@ func getAddress(opts string) string {
|
||||||
}
|
}
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getPassword finds out a password from options
|
||||||
|
func getPassword(opts string) string {
|
||||||
|
optsList := strings.Split(opts, ",")
|
||||||
|
for i := 0; i < len(optsList); i++ {
|
||||||
|
if strings.HasPrefix(optsList[i], "password=") {
|
||||||
|
passwd := strings.SplitN(optsList[i], "=", 2)[1]
|
||||||
|
return passwd
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
|
@ -29,6 +29,25 @@ func TestGetAddress(t *testing.T) {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestGetPassword(t *testing.T) {
|
||||||
|
cases := map[string]string{
|
||||||
|
"password=secret": "secret",
|
||||||
|
" ": "",
|
||||||
|
"password=": "",
|
||||||
|
"password=Tr0ub4dor&3": "Tr0ub4dor&3",
|
||||||
|
"password=correcthorsebatterystaple": "correcthorsebatterystaple",
|
||||||
|
"username=moby,password=secret": "secret",
|
||||||
|
"username=moby,password=secret,addr=11": "secret",
|
||||||
|
"username=moby,addr=11": "",
|
||||||
|
}
|
||||||
|
for optsstring, success := range cases {
|
||||||
|
v := getPassword(optsstring)
|
||||||
|
if v != success {
|
||||||
|
t.Errorf("Test case failed for %s actual: %s expected : %s", optsstring, v, success)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestRemove(t *testing.T) {
|
func TestRemove(t *testing.T) {
|
||||||
skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI")
|
skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI")
|
||||||
rootDir, err := os.MkdirTemp("", "local-volume-test")
|
rootDir, err := os.MkdirTemp("", "local-volume-test")
|
||||||
|
|
|
@ -143,6 +143,11 @@ func (v *localVolume) mount() error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
err := mount.Mount(v.opts.MountDevice, v.path, v.opts.MountType, mountOpts)
|
err := mount.Mount(v.opts.MountDevice, v.path, v.opts.MountType, mountOpts)
|
||||||
|
if err != nil {
|
||||||
|
if password := getPassword(v.opts.MountOpts); password != "" {
|
||||||
|
err = errors.New(strings.Replace(err.Error(), "password="+password, "password=********", 1))
|
||||||
|
}
|
||||||
|
}
|
||||||
return errors.Wrap(err, "failed to mount local volume")
|
return errors.Wrap(err, "failed to mount local volume")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue