csi: Fix parsing of '=' in secrets at command line and HTTP (#15670) (#…

…15673) The command line flag parsing and the HTTP header parsing for CSI secrets incorrectly split at more than one '=' rune, making it impossible to use secrets that included that rune. Co-authored-by: Tim Gross <tgross@hashicorp.com>
hashicorp · Jan 3, 2023 · d14eee9 · d14eee9
1 parent e27e1c6
commit d14eee9
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/.changelog/15670.txt b/.changelog/15670.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where secrets that include '=' were incorrectly rejected
+```
diff --git a/command/agent/csi_endpoint.go b/command/agent/csi_endpoint.go
@@ -305,11 +305,11 @@ func (s *HTTPServer) csiSnapshotDelete(resp http.ResponseWriter, req *http.Reque
 	query := req.URL.Query()
 	snap.PluginID = query.Get("plugin_id")
 	snap.ID = query.Get("snapshot_id")
+
 	secrets := query["secret"]
 	for _, raw := range secrets {
-		secret := strings.Split(raw, "=")
-		if len(secret) == 2 {
-			snap.Secrets[secret[0]] = secret[1]
+		if key, value, found := strings.Cut(raw, "="); found {
+			snap.Secrets[key] = value
 		}
 	}
 
@@ -340,9 +340,8 @@ func (s *HTTPServer) csiSnapshotList(resp http.ResponseWriter, req *http.Request
 		secrets := strings.Split(querySecrets[0], ",")
 		args.Secrets = make(structs.CSISecrets)
 		for _, raw := range secrets {
-			secret := strings.Split(raw, "=")
-			if len(secret) == 2 {
-				args.Secrets[secret[0]] = secret[1]
+			if key, value, found := strings.Cut(raw, "="); found {
+				args.Secrets[key] = value
 			}
 		}
 	}

diff --git a/command/volume_snapshot_delete.go b/command/volume_snapshot_delete.go
@@ -94,9 +94,8 @@ func (c *VolumeSnapshotDeleteCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		}
 	}