add unit test to verify CSI plugin filenames are escaped

hashicorp · Nov 25, 2020 · 4ac5298 · 4ac5298
1 parent 215a67f
commit 4ac5298
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/command/operator_debug.go b/command/operator_debug.go
@@ -734,7 +734,7 @@ func (c *OperatorDebugCommand) collectNomad(dir string, client *api.Client) erro
 	// Loop over each plugin - /v1/plugin/csi/:plugin_id
 	for _, p := range ps {
 		csiPlugin, _, err := client.CSIPlugins().Info(p.ID, qo)
-		csiPluginFileName := fmt.Sprintf("csi-plugin-id-%s", p.ID)
+		csiPluginFileName := fmt.Sprintf("csi-plugin-id-%s.json", p.ID)
 		c.writeJSON(dir, csiPluginFileName, csiPlugin, err)
 	}
 
@@ -818,7 +818,7 @@ func (c *OperatorDebugCommand) writeBytes(dir, file string, data []byte) error {
 
 	// Ensure filename doesn't escape the sandbox of the capture directory
 	escapes := helper.PathEscapesSandbox(c.collectDir, filePath)
-	if escapes { //&& sandboxEnabled {
+	if escapes {
 		return fmt.Errorf("file path escapes capture directory")
 	}
 

diff --git a/command/operator_debug_test.go b/command/operator_debug_test.go
@@ -1,18 +1,66 @@
 package command
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 
 	"github.com/hashicorp/nomad/command/agent"
+	"github.com/hashicorp/nomad/helper"
+	"github.com/hashicorp/nomad/nomad/state"
 	"github.com/hashicorp/nomad/testutil"
 	"github.com/mitchellh/cli"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+func Test_BadCSIPluginNames(t *testing.T) {
+	// Start test server and API client
+	srv, _, url := testServer(t, false, nil)
+	defer srv.Shutdown()
+
+	// Wait for leadership to establish
+	testutil.WaitForLeader(t, srv.Agent.RPC)
+
+	cases := []string{
+		"aws/ebs",
+		"gcp-*-1",
+	}
+	for _, pluginName := range cases {
+		cleanup := state.CreateTestCSIPlugin(srv.Agent.Server().State(), pluginName)
+		defer cleanup()
+	}
+
+	// Setup mock UI
+	ui := cli.NewMockUi()
+	cmd := &OperatorDebugCommand{Meta: Meta{Ui: ui}}
+
+	// Debug on the leader and all client nodes
+	code := cmd.Run([]string{"-address", url, "-duration", "250ms", "-server-id", "leader", "-node-id", "all", "-output", os.TempDir()})
+	assert.Equal(t, 0, code)
+
+	// Bad plugin name should be escaped before it reaches the sandbox test
+	require.NotContains(t, ui.ErrorWriter.String(), "file path escapes capture directory")
+	require.Contains(t, ui.OutputWriter.String(), "Starting debugger")
+
+	path := cmd.collectDir
+	defer os.Remove(path)
+
+	var pluginFiles []string
+	for _, pluginName := range cases {
+		pluginFile := fmt.Sprintf("csi-plugin-id-%s.json", helper.CleanFilename(pluginName, "_"))
+		pluginFile = filepath.Join(path, "nomad", "0000", pluginFile)
+		pluginFiles = append(pluginFiles, pluginFile)
+	}
+
+	testutil.WaitForFiles(t, pluginFiles)
+
+	ui.OutputWriter.Reset()
+	ui.ErrorWriter.Reset()
+}
+
 func TestDebugUtils(t *testing.T) {
 	xs := argNodes("foo, bar")
 	require.Equal(t, []string{"foo", "bar"}, xs)