1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

volume: mask password in cifs mount error messages

In managed environment (such as Nomad clusters), users are not always
supposed to see credentials used to mount volumes.
However, if errors occur (most commonly, misspelled mount paths), the
error messages will output the full mount command -- which might contain
a username and a password in the case of CIFS mounts.

This PR detects password=... when error messages are wrapped and masks
them with ********.

Closes https://github.com/fsouza/go-dockerclient/issues/905.
Closes https://github.com/hashicorp/nomad/issues/12296.
Closes https://github.com/moby/moby/issues/43596.

Signed-off-by: Sebastian Höffner <sebastian.hoeffner@mevis.fraunhofer.de>
This commit is contained in:
Sebastian Höffner 2022-05-12 16:53:02 +02:00 committed by Sebastian Höffner
parent f1dd6bf84e
commit 9a7298a3e6
No known key found for this signature in database
GPG key ID: 96F5DCE7487EBDD5
3 changed files with 36 additions and 0 deletions

View file

@ -366,3 +366,15 @@ func getAddress(opts string) string {
} }
return "" return ""
} }
// getPassword finds out a password from options
func getPassword(opts string) string {
optsList := strings.Split(opts, ",")
for i := 0; i < len(optsList); i++ {
if strings.HasPrefix(optsList[i], "password=") {
passwd := strings.SplitN(optsList[i], "=", 2)[1]
return passwd
}
}
return ""
}

View file

@ -29,6 +29,25 @@ func TestGetAddress(t *testing.T) {
} }
func TestGetPassword(t *testing.T) {
cases := map[string]string{
"password=secret": "secret",
" ": "",
"password=": "",
"password=Tr0ub4dor&3": "Tr0ub4dor&3",
"password=correcthorsebatterystaple": "correcthorsebatterystaple",
"username=moby,password=secret": "secret",
"username=moby,password=secret,addr=11": "secret",
"username=moby,addr=11": "",
}
for optsstring, success := range cases {
v := getPassword(optsstring)
if v != success {
t.Errorf("Test case failed for %s actual: %s expected : %s", optsstring, v, success)
}
}
}
func TestRemove(t *testing.T) { func TestRemove(t *testing.T) {
skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI") skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI")
rootDir, err := os.MkdirTemp("", "local-volume-test") rootDir, err := os.MkdirTemp("", "local-volume-test")

View file

@ -143,6 +143,11 @@ func (v *localVolume) mount() error {
} }
} }
err := mount.Mount(v.opts.MountDevice, v.path, v.opts.MountType, mountOpts) err := mount.Mount(v.opts.MountDevice, v.path, v.opts.MountType, mountOpts)
if err != nil {
if password := getPassword(v.opts.MountOpts); password != "" {
err = errors.New(strings.Replace(err.Error(), "password="+password, "password=********", 1))
}
}
return errors.Wrap(err, "failed to mount local volume") return errors.Wrap(err, "failed to mount local volume")
} }