csi: Fix parsing of '=' in secrets at command line and HTTP

The command line flag parsing and the HTTP header parsing for CSI secrets incorrectly split at more than one '=' rune, making it impossible to use secrets that included that rune.
hashicorp · Jan 3, 2023 · c4cde59 · c4cde59
1 parent 089e680
commit c4cde59
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 6 deletions.
diff --git a/.changelog/15670.txt b/.changelog/15670.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where secrets that include '=' were incorrectly rejected
+```
diff --git a/command/agent/csi_endpoint.go b/command/agent/csi_endpoint.go
@@ -409,7 +409,7 @@ func parseCSISecrets(req *http.Request) structs.CSISecrets {
 	secrets := map[string]string{}
 	secretkvs := strings.Split(secretsHeader, ",")
 	for _, secretkv := range secretkvs {
-		kv := strings.Split(secretkv, "=")
+		kv := strings.SplitN(secretkv, "=", 2)
 		if len(kv) == 2 {
 			secrets[kv[0]] = kv[1]
 		}

diff --git a/command/agent/csi_endpoint_test.go b/command/agent/csi_endpoint_test.go
@@ -59,6 +59,8 @@ func TestHTTP_CSIParseSecrets(t *testing.T) {
 			structs.CSISecrets(map[string]string{"one": "overwrite"})},
 		{"one=value_one,two=value_two",
 			structs.CSISecrets(map[string]string{"one": "value_one", "two": "value_two"})},
+		{"one=value_one=two,two=value_two",
+			structs.CSISecrets(map[string]string{"one": "value_one=two", "two": "value_two"})},
 	}
 	for _, tc := range testCases {
 		req, _ := http.NewRequest("GET", "/v1/plugin/csi/foo", nil)

diff --git a/command/volume_delete.go b/command/volume_delete.go
@@ -104,7 +104,7 @@ func (c *VolumeDeleteCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
+		s := strings.SplitN(kv, "=", 2)
 		if len(s) == 2 {
 			secrets[s[0]] = s[1]
 		} else {

diff --git a/command/volume_snapshot_create.go b/command/volume_snapshot_create.go
@@ -117,7 +117,7 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
+		s := strings.SplitN(kv, "=", 2)
 		if len(s) == 2 {
 			secrets[s[0]] = s[1]
 		} else {
@@ -128,7 +128,7 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {
 
 	params := map[string]string{}
 	for _, kv := range parametersArgs {
-		p := strings.Split(kv, "=")
+		p := strings.SplitN(kv, "=", 2)
 		if len(p) == 2 {
 			params[p[0]] = p[1]
 		}

diff --git a/command/volume_snapshot_delete.go b/command/volume_snapshot_delete.go
@@ -94,7 +94,7 @@ func (c *VolumeSnapshotDeleteCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
+		s := strings.SplitN(kv, "=", 2)
 		if len(s) == 2 {
 			secrets[s[0]] = s[1]
 		} else {

diff --git a/command/volume_snapshot_list.go b/command/volume_snapshot_list.go
@@ -140,7 +140,7 @@ func (c *VolumeSnapshotListCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
+		s := strings.SplitN(kv, "=", 2)
 		if len(s) == 2 {
 			secrets[s[0]] = s[1]
 		} else {