Skip to content

hubble: escape terminal special characters from observe output #37401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2025
Merged

hubble: escape terminal special characters from observe output #37401

merged 1 commit into from
Feb 13, 2025

Conversation

devodev
Copy link
Contributor

@devodev devodev commented Jan 31, 2025

Escape special characters from hubble observe output when not using JSON formatting to protect against possible malicious character injection.

This approach escapes characters at the very end, before writing the output to its writer. It also takes care of allowing control characters used to colorize the output. I tried something smart, but we might want to simply escape manually all callsites that may return unsanitized strings before colorizing.

Similar to: kubernetes/kubernetes#101695
Similar to: python/cpython#100001

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 31, 2025
@github-actions github-actions bot added hubble-cli PRs or GitHub issues related with hubble-cli hubble-cli-exclusive Only changes hubble-cli files. kind/community-contribution This was a contribution made by a community member. labels Jan 31, 2025
@devodev devodev force-pushed the pr/devodev/hubble-escape-term branch from 03c1938 to 511ad4f Compare January 31, 2025 21:46
chancez
chancez reviewed Jan 31, 2025
View reviewed changes
chancez
chancez previously requested changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@chancez chancez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a set of test that actually tests this with each output format to ensure it works when combined with the rest of the code. So basically an e2e test of sorts.

@devodev
Copy link
Contributor Author

devodev commented Jan 31, 2025

We should add a set of test that actually tests this with each output format to ensure it works when combined with the rest of the code. So basically an e2e test of sorts.

I can add unit tests that use Printer directly and write each supported types containing control sequences and colorized fields.

@devodev
hubble: escape terminal special characters from observe output
e478216 
Escape special characters from `hubble observe` output when not
using JSON formatting to protect against possible malicious
character injection.

Similar to: kubernetes/kubernetes#101695
Similar to: python/cpython#100001

Signed-off-by: Alexandre Barone <abalexandrebarone@gmail.com>
@devodev devodev force-pushed the pr/devodev/hubble-escape-term branch from 511ad4f to e478216 Compare February 4, 2025 15:14
@devodev
Copy link
Contributor Author

devodev commented Feb 4, 2025

We should add a set of test that actually tests this with each output format to ensure it works when combined with the rest of the code. So basically an e2e test of sorts.

I updated existing printer tests to add entries for each output type and colored/not colored.

@devodev devodev marked this pull request as ready for review February 4, 2025 15:17
@devodev devodev requested a review from a team as a code owner February 4, 2025 15:17
@devodev devodev requested a review from kaworu February 4, 2025 15:17
kaworu
kaworu approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @devodev !

@kaworu kaworu added the release-note/misc This PR makes changes that have no direct user impact. label Feb 5, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 5, 2025
@kaworu kaworu added sig/hubble dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. area/hubble Impacts hubble server or relay labels Feb 5, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 5, 2025
@kaworu
Copy link
Member

kaworu commented Feb 5, 2025

/test

@devodev
Copy link
Contributor Author

devodev commented Feb 10, 2025

I think we can safely remove @chancez as reviewer and @kaworu already approved.

@devodev devodev requested a review from kaworu February 12, 2025 15:31
@kaworu kaworu removed the request for review from chancez February 12, 2025 15:54
@kaworu kaworu requested review from kaworu and removed request for chancez February 12, 2025 15:55
@kaworu
Copy link
Member

kaworu commented Feb 12, 2025

/test

@rolinh rolinh requested review from chancez and removed request for chancez February 13, 2025 07:52
@mtardy mtardy removed the request for review from chancez February 13, 2025 14:12
@mtardy mtardy dismissed chancez’s stale review February 13, 2025 14:13

Busy parenting!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 13, 2025
@julianwiedmann julianwiedmann added this pull request to the merge queue Feb 13, 2025
Merged via the queue into cilium:main with commit 5a9252f Feb 13, 2025
82 checks passed
@devodev
Copy link
Contributor Author

devodev commented Feb 13, 2025

We might want to add a security label on this PR.

@kaworu kaworu added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch and removed release-note/misc This PR makes changes that have no direct user impact. labels Feb 14, 2025
@nbusseneau nbusseneau mentioned this pull request Feb 14, 2025
Merged
6 tasks
@nbusseneau nbusseneau added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Feb 14, 2025
@nbusseneau nbusseneau mentioned this pull request Feb 14, 2025
Merged
22 tasks
@nbusseneau nbusseneau added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Feb 14, 2025
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels Feb 18, 2025
@GoVulnBot GoVulnBot mentioned this pull request May 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@chancez chancez chancez left review comments

Assignees

@devodev devodev

Labels
area/hubble Impacts hubble server or relay backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. hubble-cli PRs or GitHub issues related with hubble-cli hubble-cli-exclusive Only changes hubble-cli files. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@devodev @kaworu @chancez @nbusseneau @julianwiedmann