[
https://issues.apache.org/jira/browse/CLOUDSTACK-9593?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16305264#comment-16305264
]
ASF GitHub Bot commented on CLOUDSTACK-9593:
--------------------------------------------
rhtyd closed pull request #1760: CLOUDSTACK-9593: userdata: enforce data is a
multiple of 4 characters
URL: https://github.com/apache/cloudstack/pull/1760
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
index fbe9d784432..6afd976e7e2 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
@@ -27,6 +27,7 @@
import java.util.Map;
import java.util.Set;
+import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import com.cloud.hypervisor.Hypervisor;
@@ -64,9 +65,49 @@ public boolean supportsRollingUpgrade() {
@Override
public void performDataMigration(Connection conn) {
+ validateUserDataInBase64(conn);
updateSystemVmTemplates(conn);
}
+ private void validateUserDataInBase64(Connection conn) {
+ try (final PreparedStatement selectStatement =
conn.prepareStatement("SELECT `id`, `user_data` FROM `cloud`.`user_vm` WHERE
`user_data` IS NOT NULL;");
+ final ResultSet selectResultSet = selectStatement.executeQuery())
{
+ while (selectResultSet.next()) {
+ final Long userVmId = selectResultSet.getLong(1);
+ final String userData = selectResultSet.getString(2);
+ if (Base64.isBase64(userData)) {
+ final String newUserData =
Base64.encodeBase64String(Base64.decodeBase64(userData.getBytes()));
+ if (!userData.equals(newUserData)) {
+ try (final PreparedStatement updateStatement =
conn.prepareStatement("UPDATE `cloud`.`user_vm` SET `user_data` = ? WHERE `id`
= ? ;")) {
+ updateStatement.setString(1, newUserData);
+ updateStatement.setLong(2, userVmId);
+ updateStatement.executeUpdate();
+ } catch (SQLException e) {
+ LOG.error("Failed to update cloud.user_vm
user_data for id:" + userVmId + " with exception: " + e.getMessage());
+ throw new CloudRuntimeException("Exception while
updating cloud.user_vm for id " + userVmId, e);
+ }
+ }
+ } else {
+ // Update to NULL since it's invalid
+ LOG.warn("Removing user_data for vm id " + userVmId + "
because it's invalid");
+ LOG.warn("Removed data was: " + userData);
+ try (final PreparedStatement updateStatement =
conn.prepareStatement("UPDATE `cloud`.`user_vm` SET `user_data` = NULL WHERE
`id` = ? ;")) {
+ updateStatement.setLong(1, userVmId);
+ updateStatement.executeUpdate();
+ } catch (SQLException e) {
+ LOG.error("Failed to update cloud.user_vm user_data
for id:" + userVmId + " to NULL with exception: " + e.getMessage());
+ throw new CloudRuntimeException("Exception while
updating cloud.user_vm for id " + userVmId + " to NULL", e);
+ }
+ }
+ }
+ } catch (SQLException e) {
+ throw new CloudRuntimeException("Exception while validating
existing user_vm table's user_data column to be base64 valid with padding", e);
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Done validating base64 content of user data");
+ }
+ }
+
@SuppressWarnings("serial")
private void updateSystemVmTemplates(final Connection conn) {
LOG.debug("Updating System Vm template IDs");
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java
b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 3591e603b0a..cd725b1b6ab 100644
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2525,7 +2525,7 @@ public UserVm updateVirtualMachine(long id, String
displayName, String group, Bo
if (userData != null) {
// check and replace newlines
userData = userData.replace("\\n", "");
- validateUserData(userData, httpMethod);
+ userData = validateUserData(userData, httpMethod);
// update userData on domain router.
updateUserdata = true;
} else {
@@ -3395,7 +3395,7 @@ protected UserVm createVirtualMachine(DataCenter zone,
ServiceOffering serviceOf
_accountMgr.checkAccess(owner, AccessType.UseEntry, false, template);
// check if the user data is correct
- validateUserData(userData, httpmethod);
+ userData = validateUserData(userData, httpmethod);
// Find an SSH public key corresponding to the key pair name, if one is
// given
@@ -3942,7 +3942,7 @@ public void
doInTransactionWithoutResult(TransactionStatus status) {
}
}
- private void validateUserData(String userData, HTTPMethod httpmethod) {
+ protected String validateUserData(String userData, HTTPMethod httpmethod) {
byte[] decodedUserData = null;
if (userData != null) {
if (!Base64.isBase64(userData)) {
@@ -3970,7 +3970,10 @@ private void validateUserData(String userData,
HTTPMethod httpmethod) {
if (decodedUserData == null || decodedUserData.length < 1) {
throw new InvalidParameterValueException("User data is too
short");
}
+ // Re-encode so that the '=' paddings are added if necessary since
'isBase64' does not require it, but python does on the VR.
+ return Base64.encodeBase64String(decodedUserData);
}
+ return null;
}
@Override
diff --git a/server/test/com/cloud/vm/UserVmManagerTest.java
b/server/test/com/cloud/vm/UserVmManagerTest.java
index 1bab84cc36c..89555a2c8c8 100644
--- a/server/test/com/cloud/vm/UserVmManagerTest.java
+++ b/server/test/com/cloud/vm/UserVmManagerTest.java
@@ -48,6 +48,7 @@
import com.cloud.event.dao.UsageEventDao;
import com.cloud.uservm.UserVm;
import org.junit.Assert;
+import org.apache.cloudstack.api.BaseCmd;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mock;
@@ -1056,4 +1057,16 @@ public void testPersistDeviceBusInfo() {
_userVmMgr.persistDeviceBusInfo(_vmMock, "lsilogic");
verify(_vmDao, times(1)).saveDetails(any(UserVmVO.class));
}
+
+ @Test
+ public void testValideBase64WithoutPadding() {
+ // fo should be encoded in base64 either as Zm8 or Zm8=
+ String encodedUserdata = "Zm8";
+ String encodedUserdataWithPadding = "Zm8=";
+
+ // Verify that we accept both but return the padded version
+ assertTrue("validate return the value with padding",
encodedUserdataWithPadding.equals(_userVmMgr.validateUserData(encodedUserdata,
BaseCmd.HTTPMethod.GET)));
+ assertTrue("validate return the value with padding",
encodedUserdataWithPadding.equals(_userVmMgr.validateUserData(encodedUserdataWithPadding,
BaseCmd.HTTPMethod.GET)));
+ }
+
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> User data check is inconsistent with python
> -------------------------------------------
>
> Key: CLOUDSTACK-9593
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9593
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.4.2, 4.4.3, 4.3.2, 4.5.1, 4.4.4, 4.5.2, 4.6.0, 4.6.1,
> 4.6.2, 4.7.0, 4.7.1, 4.8.0, 4.9.0
> Reporter: Marc-Aurèle Brothier
> Assignee: Marc-Aurèle Brothier
>
> The user data is validated through the Apache commons codec library, but this
> library does not check that the length is a multiple of 4 characters. The RFC
> does not require it either. But the python script in the virtual router that
> loads the user data does check for the possible padding presence, requiring
> the string to be a multiple of 4 characters.
> {code:python}
> >>> import base64
> >>> base64.b64decode('foo')
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> File
> "/usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/lib/python2.7/base64.py",
> line 78, in b64decode
> raise TypeError(msg)
> TypeError: Incorrect padding
> >>> base64.b64decode('foo=')
> '~\x8a'
> {code}
> Currently since the java check is less restrictive, the user data gets saved
> into the database but the VR script crashes when it receives this VM user
> data. On a single VM it is not really a problem. The critical issue is when a
> VR is restarted. The invalid pythonic base64 string makes the vmdata.py
> script crashed, resulting in a VR not starting at all.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
