From a618653638d27ae1e00530bd5b0733c4f65689a1 Mon Sep 17 00:00:00 2001 From: Maxim Patlasov Date: Thu, 19 Oct 2023 19:34:06 -0700 Subject: [PATCH] Clear secrets from request for klog print in `logGRPC()` Malicious user can put a secret in request as explained here: https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1372. --- pkg/gce-pd-csi-driver/utils.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pkg/gce-pd-csi-driver/utils.go b/pkg/gce-pd-csi-driver/utils.go index d8ef8ce0b7..7da657f7c0 100644 --- a/pkg/gce-pd-csi-driver/utils.go +++ b/pkg/gce-pd-csi-driver/utils.go @@ -20,6 +20,7 @@ import ( "context" "errors" "fmt" + "reflect" csi "github.com/container-storage-interface/spec/lib/go/csi" "google.golang.org/grpc" @@ -63,6 +64,17 @@ func logGRPC(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, h // Note that secrets are not included in any RPC message. In the past protosanitizer and other log // stripping was shown to cause a significant increase of CPU usage (see // https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/356#issuecomment-550529004). + // However malicious user still can put a secret in request as explained here: + // https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1372 + // Reflect magic below simply clears Secrets map from request. + v := reflect.ValueOf(&req).Elem() + e := reflect.New(v.Elem().Type()).Elem() + e.Set(v.Elem()) + f := reflect.Indirect(e).FieldByName("Secrets") + if f.IsValid() && f.CanSet() && f.Kind() == reflect.Map { + f.Set(reflect.MakeMap(f.Type())) + v.Set(e) + } klog.V(4).Infof("%s called with request: %s", info.FullMethod, req) resp, err := handler(ctx, req) if err != nil {