Skip to content

manager: datamodel: validate or escape strings in datamodel

Aleš Mrázek requested to merge manager-datamodel-security into 6.0

Since we render the lua configuration with jinja2 template, all string inputs in configuration should be validated or escaped.

  • No str type in configuration (except for lua/script).
  • EscapedStr - custom type that escapes quotes and others..
  • new types IDPattern, PinSha256, EscapedStr32B
  • base types refactored

A simple example of a problem with quotes and newlines:

hostname: "')\nany_lua_code"

Jinja2 template:

hostname('{cfg.hostname}')

Render:

hostname('')
any_lua_code

As a result, kresd startup fails or worse, any_lua_code may be executed.

Are there any other characters or something else I missed that can cause problems? cc @vcunat @ostava

related #715 (closed)

Edited by Aleš Mrázek

Merge request reports