kubeovn / kube-ovn / 25422549888

25%

master: 25%

Build Type

Pull #6700

github

Committed by oilbeater

Commit Message

refactor(security): pass argv to exec instead of shell concatenation

Three exec sites previously joined arguments into a single shell string
and ran them via "bash -c"/"sh -xc". Although every field reaching these
calls is currently validated (net.ParseIP, port ints, protocol whitelists),
the shell-concat pattern is fragile and was acknowledged with a TODO in
vpc_nat_gateway.go. Pass arguments directly as argv so the kubelet exec
API and os/exec deliver them without shell parsing.

- ovs_linux.go: split the UFO probe and disable into two direct ethtool
  exec calls. Treat probe failure as a best-effort skip to keep the prior
  shell behavior on devices/kernels that reject ``ethtool -k``.
- vpc_nat_gateway.go / service_lb.go: build an argv slice and pass it
  directly to ExecuteCommandInContainer; drop the existing TODO.
- nat-gateway.sh / lb-svc.sh: dispatch via ``shift`` + ``"\$@"``. Use
  ``"\$*"`` for nat-gateway.sh ``init`` so the documented
  ``init net1, net2`` form still works.

Inspired by flannel-io/flannel#2400.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

Pull Request Pull Request #6700: refactor(security): pass argv to exec instead of shell concatenation

Coverage Stats

0 of 23 new or added lines in 3 files covered. (0.0%)

2 existing lines in 1 file now uncovered.

14072 of 56669 relevant lines covered (24.83%)

0.29 hits per line