[podman|docker] Add postprocessing for container inspect output

Adds a postproc for the podman and docker plugins to attempt to obfuscate sensitive keys in 'inspect' output for those runtimes. Previously, these keys were being captured in plaintext which could lead to passwords or similar being leaked when sysadmins configure containers with environment variables (or similar) that contain this data. Specifically, we match against 'key=value' pairs as that is how the container runtimes accept and print these pairs, like so: "Env": [ "mypassword=supersecret", "container=oci" ], By comparison, the inspect outputs now read like the following when a potentially sensitive key is found: "Env": [ "mypassword=********", "container=oci" ], Resolves: #1487 Signed-off-by: Jake Hunsaker <jhunsake@redhat.com> Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
author: Jake Hunsaker <jhunsake@redhat.com> 2018-11-28 10:43:40 -0500
committer: Bryn M. Reeves <bmr@redhat.com> 2019-03-12 15:32:39 +0000
commit: bcc939b71842175010e60d0d063043e9f780c702 (patch)
tree: 6edde4cd061f1268719650beaaf0232a5bd56650
parent: 749165e09da65d073ace7136dc29cfa28931b751 (diff)
download: sos-bcc939b71842175010e60d0d063043e9f780c702.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/sos/plugins/docker.py b/sos/plugins/docker.py
index 69ac997e..3cce15ed 100644
--- a/sos/plugins/docker.py
+++ b/sos/plugins/docker.py
@@ -88,6 +88,23 @@ class Docker(Plugin):
                 if self.get_option('logs'):
                     self.add_cmd_output("docker logs -t %s" % container)
 
+    def postproc(self):
+        # Attempts to match key=value pairs inside container inspect output
+        # for potentially sensitive items like env vars that contain passwords.
+        # Typically, these will be seen in env elements or similar, and look
+        # like this:
+        #             "Env": [
+        #                "mypassword=supersecret",
+        #                "container=oci"
+        #             ],
+        # This will mask values when the variable name looks like it may be
+        # something worth obfuscating.
+
+        env_regexp = r'(?P<var>(pass|key|secret|PASS|KEY|SECRET).*?)=' \
+                      '(?P<value>.*?)"'
+        self.do_cmd_output_sub('*inspect*', env_regexp,
+                               r'\g<var>=********"')
+
 
 class RedHatDocker(Docker, RedHatPlugin):
 
diff --git a/sos/plugins/podman.py b/sos/plugins/podman.py
index 72e22558..cdf60043 100644
--- a/sos/plugins/podman.py
+++ b/sos/plugins/podman.py
@@ -74,5 +74,21 @@ class Podman(Plugin, RedHatPlugin, UbuntuPlugin):
             if self.get_option('logs'):
                 self.add_cmd_output("podman logs -t %s" % container)
 
+    def postproc(self):
+        # Attempts to match key=value pairs inside container inspect output
+        # for potentially sensitive items like env vars that contain passwords.
+        # Typically, these will be seen in env elements or similar, and look
+        # like this:
+        #             "Env": [
+        #                "mypassword=supersecret",
+        #                "container=oci"
+        #             ],
+        # This will mask values when the variable name looks like it may be
+        # something worth obfuscating.
+
+        env_regexp = r'(?P<var>(pass|key|secret|PASS|KEY|SECRET).*?)=' \
+                      '(?P<value>.*?)"'
+        self.do_cmd_output_sub('*inspect*', env_regexp,
+                               r'\g<var>=********"')
 
 # vim: set et ts=4 sw=4 :
author	Jake Hunsaker <jhunsake@redhat.com>	2018-11-28 10:43:40 -0500
committer	Bryn M. Reeves <bmr@redhat.com>	2019-03-12 15:32:39 +0000
commit	bcc939b71842175010e60d0d063043e9f780c702 (patch)
tree	6edde4cd061f1268719650beaaf0232a5bd56650
parent	749165e09da65d073ace7136dc29cfa28931b751 (diff)
download	sos-bcc939b71842175010e60d0d063043e9f780c702.tar.gz