Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hubble: escape terminal special characters from observe output #37401

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

hubble: escape terminal special characters from observe output #37401

wants to merge 1 commit into from

Conversation

devodev
Copy link
Contributor

@devodev devodev commented Jan 31, 2025

Escape special characters from hubble observe output when not using JSON formatting to protect against possible malicious character injection.

This approach escapes characters at the very end, before writing the output to its writer. It also takes care of allowing control characters used to colorize the output. I tried something smart, but we might want to simply escape manually all callsites that may return unsanitized strings before colorizing.

Similar to: kubernetes/kubernetes#101695
Similar to: python/cpython#100001

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 31, 2025
@github-actions github-actions bot added hubble-cli PRs or GitHub issues related with hubble-cli hubble-cli-exclusive kind/community-contribution This was a contribution made by a community member. labels Jan 31, 2025
@devodev devodev force-pushed the pr/devodev/hubble-escape-term branch from 03c1938 to 511ad4f Compare January 31, 2025 21:46
chancez
chancez reviewed Jan 31, 2025
View reviewed changes
hubble/pkg/printer/terminal.go Outdated
err error
}

func (tew *terminalEscaperWriter) Write(a ...interface{}) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: naming a method Write when it doesn't implement io.Writer might be confusing. Also it probably doesn't need to be exported since it's not imported outside this package.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah its the names that were there before. I made it public to differentiate the available API, but I also wanted to rename those to Print and Printf since they map to fmt and not writer.

I'll update

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to use the print funcs format

chancez
chancez requested changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@chancez chancez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a set of test that actually tests this with each output format to ensure it works when combined with the rest of the code. So basically an e2e test of sorts.

@devodev
Copy link
Contributor Author

devodev commented Jan 31, 2025

We should add a set of test that actually tests this with each output format to ensure it works when combined with the rest of the code. So basically an e2e test of sorts.

I can add unit tests that use Printer directly and write each supported types containing control sequences and colorized fields.

@devodev
hubble: escape terminal special characters from observe output
e478216 
Escape special characters from `hubble observe` output when not
using JSON formatting to protect against possible malicious
character injection.

Similar to: kubernetes/kubernetes#101695
Similar to: python/cpython#100001

Signed-off-by: Alexandre Barone <abalexandrebarone@gmail.com>
@devodev devodev force-pushed the pr/devodev/hubble-escape-term branch from 511ad4f to e478216 Compare February 4, 2025 15:14
@devodev
Copy link
Contributor Author

devodev commented Feb 4, 2025

We should add a set of test that actually tests this with each output format to ensure it works when combined with the rest of the code. So basically an e2e test of sorts.

I updated existing printer tests to add entries for each output type and colored/not colored.

@devodev devodev marked this pull request as ready for review February 4, 2025 15:17
@devodev devodev requested a review from a team as a code owner February 4, 2025 15:17
@devodev devodev requested a review from kaworu February 4, 2025 15:17
kaworu
kaworu approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @devodev !

@kaworu kaworu added the release-note/misc This PR makes changes that have no direct user impact. label Feb 5, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 5, 2025
@kaworu kaworu added sig/hubble Impacts hubble server or relay dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. area/hubble Related to Hubble labels Feb 5, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 5, 2025
@kaworu
Copy link
Member

kaworu commented Feb 5, 2025

/test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@chancez chancez Awaiting requested review from chancez

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
area/hubble Related to Hubble hubble-cli PRs or GitHub issues related with hubble-cli hubble-cli-exclusive kind/community-contribution This was a contribution made by a community member. release-note/misc This PR makes changes that have no direct user impact. sig/hubble Impacts hubble server or relay
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@devodev @kaworu @chancez