nolar / kopf

85%

main: 0%

LAST BUILD ON BRANCH security-logging-injections

branch: security-logging-injections

CHANGE BRANCH

x

Reset

• security-logging-injections
• 0.27.1
• 0.28
• 0.28rc1
• 0.28rc2
• 0.28rc3
• 0.28rc4
• 0.28rc5
• 0.28rc6
• 112-no-resumes-for-deleted
• 112-user-memos
• 12-better-templates
• 12-evc-story
• 184-embedded-signals
• 242-auth-basic
• 242-ssl-data-fields
• 246-aiohttp
• 246-aiohttp4-readiness
• 249-cluster-resources-in-namespaces
• 261-crd-fields
• 269-cicd-kubernetes
• 269-minikube-rbac
• 272-coverage-pinning
• 275-line-too-long
• 356-keep-finalizers-on-multistep-deletion
• 356-no-effect-patches
• 356-timer-with-delete
• HEAD
• activities
• activity-ignore-errors
• aiohttp
• aiohttp-2
• aiohttp-initial-wip
• aiohttp-timed-tests
• annotations-charsets
• annotations-length-cuts-v2
• async-clients
• auth-handlers
• authentication
• awakening-on-event
• background-handlers
• background-handlers-1
• background-handlers-2
• background-handlers-3
• background-handlers-4
• background-handlers-everything-moved
• background-handlers-on-top-of-moves
• background-handlers-with-finalizers
• backoff-not-cooldown
• better-401-hints
• cancellations
• causation-terminology
• cause-factory-in-tests
• classes-moved
• cleanup-leftovers
• click-8.2.0
• codacy
• code-moves-5
• code-overhead-minmax
• codecov-off
• compact-json
• configs
• configurable-finalizer
• consistent-now-when-awakening
• continuous-watching
• convert-to-python39
• convert-to-python39-narrow-down-dicts
• coverage
• coverage-off-default
• crash-on-fatals
• deprecate-k8s-versions
• deprecate-python38
• dev_dockerdesktop
• diff-dsl
• diff-of-fields
• discover-substatus
• discoveries
• discoveries-1
• doc-classes-improperly-named
• doc-common-aspects-as-pages
• doc-preserve-arbitrary-fields
• drop-py39
• dsl-of-bodies
• dummy-patches-via-annotations
• e2e-fixes
• e2e-stop-flag
• e2e-with-ast
• embeddable-peering-fix
• events-for-cluster-crds
• executor-shutdown-on-exit
• fancy-crd-aliases
• fields-on-all-handlers
• filter-labels-by-callbacks
• filtered-daemons
• fix-asyncio-tests
• fix-conntrack-in-cicd
• fix-lastseen-loss
• fix-master-errors
• fix-mypy-for-contextmanager
• fix-py313-tests
• fix-stop-flag-setting
• fix-timing-of-queue-batching-tests
• fix-watching-http-errors
• flexible-states
• flexible-states-2
• flexible-states-3
• fork-it
• freeze-resets
• handler-error-modes
• homebrew
• implicit-owners
• isort-imports
• isort-mode-11
• json-logging
• jsonlogger
• k3d-k3s
• k8s-1.15
• kubecon
• kwargs-docs-old-one
• less-logging
• lgtm
• lgtm-no-duplicated-code
• limited-annotations
• linting
• linting-3
• liveliness
• log-queues-sync
• login-handlers
• loglevels-ignored
• main
• master
• module-moves
• more-exit-logs
• more-k8ses
• multi-callbacks
• multiple-namespaces
• no-coveralls
• no-partials
• no-resumes-repeated
• no-stacktraces-on-special-errors
• no-thread-leaks
• no-unexpected-warnings-in-tests
• nonexistent-fields-false-triggering
• nonexistent-fields-triggered
• optional-apiversion-in-events
• patch-of-unexistent
• peering-tests
• peerings-not-found
• pin-ci-cd-libraries
• pod-filtering-example
• poetry
• progress-in-annotations
• proper-dying
• proper-trusted-publishing
• purge-subhandlers
• py314
• py38
• py39-for-kopf027
• py39-for-kopf027-with-pypi
• pykube-timeouts
• pypi-trusted-publisher
• pyproject-toml
• rebalance-entities-2
• rebalance-modules-3
• refactor-effectuation
• refactor-imports
• refactor-registries
• refactor-watcher-depletion
• registries-2
• registries-3
• registries-5
• relations
• release-1.0-purge
• release/0.22
• release/0.27
• release/0.27.1
• release/0.28
• release/1.29
• release/1.30
• remove-legacy-tweaks
• resource-globs
• rewrite-py310
• security
• security-only-fstrings
• session-closed-in-reauth
• settings-naming-followup
• settion_timeout
• setuptools-and-co
• simplify-registries
• simplify-registries-2
• simplify-registries-4
• simplify-registries-4-py38
• split-handers-types
• states-and-outcomes
• strict-relaxed-errors
• sync-primitives
• system-handlers
• task-cancellation
• terminology-1
• terminology-3
• terminology-5
• threaded-watching
• thrifty-essence-patches
• throttle-on-api-calls
• throttle-on-unexpected-errors
• tracable-changes
• typehints
• typehints-cause-reasons-renamed
• typehints-everywhere
• typehints-hide-response
• typehints-lazydictview
• typehints-remaining-changes
• typehints-resources
• typehints-toolkits
• ubuntu-20.04-deprecated
• unleash-coverage
• unpin-upgrade-pytest-and-co
• upgrade-mypy
• upgrade-ubuntu
• upgrades
• vault-with-toggles
• warn-on-patch-inconsistencies
• wip/cause-deprecation
• wip/diff-dsl
• wip/master/20190713
• wip/master/20190716
• wip/master/20190730
• wip/master/20191001
• wip/master/20191002
• wip/master/20191005
• wip/master/20191006
• wip/master/20191022
• wip/master/2020-03-10
• wip/maybe-fix-worker-mocks-in-queueing-tests

Build # 1144

Build Type

push

travis-ci

Committed by nolar

Commit Message

Secure the log strings from injections and for better template-matching

Generally, we can trust the codebase of the operators, as only
the code owners can inject arbitrary handler ids or task names.
But in case they are dynamic and use the data from the CR-users,
this can lead to log template injections and cause errors of DoS
(mostly when at least some positional args are passed to loggers).

We can make it a bit more secure by not using any f-strings
in the log message templates, unless the variables come strictly
from Kopf, not even from the Kopf-based operators.

This also improves the template-matching: the logging handlers
and formatters get the template strings with %s/%r instead of
actual variable values which differ every time, so they report
these messages by their proper templates (e.g. in Sentry).

Run Details

918 of 1173 branches covered (78.26%)

Branch coverage included in aggregate %.

3319 of 3838 relevant lines covered (86.48%)

7.74 hits per line