search

sensu / sensu-go-chef

Chef Library Cookbook for Sensu Go
https://sensu.io
MIT License
11 stars 22 forks source link

sensu_ctl resource doesn't properly escape command input #60

Closed mattsmitton closed 5 years ago

mattsmitton commented 5 years ago

Chef Version

$ chef-client --version
Chef: 14.12.9

Input

sensu_ctl 'default' do
  backend_url 'http://localhost:8080'
  version '5.12.0-5657'
  repo 'sensu/stable'
  username 'admin'
  password 'omgbbq&allthesesmokedmeats'
  action %i[install configure]
end

Output

FATAL: Mixlib::ShellOut::ShellCommandFailed: sensu_ctl[default] (cc_sensu_go::ctl line 10) had an error: Mixlib::ShellOut::ShellCommandFailed: execute[configure sensuctl] (/var/chef/cache/cookbooks/sensu-go/resources/ctl.rb line 65) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '127'
---- Begin output of /usr/bin/sensuctl configure --non-interactive --username admin --password omgbbq&allthesesmokedmeats --url https://localhost:8080 ----
STDOUT:
STDERR: sh: 1: allthesesmokedmeats: not found

Impact

We must use a password that doesn't require any shell escaping.

Expected Behavior

The sensu_ctl resource's command arguments should be properly escaped.

Actual Behavior

An ampersand in the password property will break the sensu_ctl resource.

Steps to Reproduce your problem

See input section, you should be able to reproduce the error even if the backend is still using the default password. Rather than getting an authentication error, you'll see the command not found error as shown in the output section above.

mattsmitton commented 5 years ago

This issue also shows that the logic around the execute resource's sensitive property being controlled by the sensu_ctl debug property is reversed. By default, with debug set to false, the full sensuctl command with the password contents is revealed in the log output.

majormoses commented 5 years ago

fixed via #61