Skip to content

Commit

Permalink
[gh-476] Sanitise HCL variables before storing on job submission (#24423
Browse files Browse the repository at this point in the history
)

* func: User url rules to scape non alphanumeric values in hcl variables

* docs: add changelog

* func: unscape flags before returning

* use JSON.stringify instead of bespoke value quoting to handle in-value-multi-line cases

---------

Co-authored-by: Phil Renaud <phil@riotindustries.com>
  • Loading branch information
Juanadelacuesta and philrenaud authored Nov 22, 2024
1 parent 997da25 commit c21dfdb
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 7 deletions.
3 changes: 3 additions & 0 deletions .changelog/24423.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
api: Sanitise hcl variables before storage on JobSubmission
```
6 changes: 2 additions & 4 deletions api/jobs.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ import (
"net/url"
"sort"
"strconv"
"strings"
"time"

"github.com/hashicorp/cronexpr"
Expand Down Expand Up @@ -324,6 +323,7 @@ func (j *Jobs) Submission(jobID string, version int, q *QueryOptions) (*JobSubmi
if err != nil {
return nil, nil, err
}

return &sub, qm, nil
}

Expand Down Expand Up @@ -1061,9 +1061,7 @@ func (js *JobSubmission) Canonicalize() {
// characters to preserve them. This way, when the job gets stopped and
// restarted in the UI, variable values will be parsed correctly.
for k, v := range js.VariableFlags {
if strings.Contains(v, "\n") {
js.VariableFlags[k] = strings.ReplaceAll(v, "\n", "\\n")
}
js.VariableFlags[k] = url.QueryEscape(v)
}
}

Expand Down
12 changes: 11 additions & 1 deletion api/jobs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1503,7 +1503,17 @@ func TestJobs_JobSubmission_Canonicalize(t *testing.T) {
VariableFlags: map[string]string{"test": "foo\nbar"},
}
js.Canonicalize()
must.Eq(t, js.VariableFlags["test"], "foo\\nbar")

must.Eq(t, js.VariableFlags["test"], "foo%0Abar")
})

t.Run("non-alphabetic chars", func(t *testing.T) {
js := &JobSubmission{
Source: "abc123",
VariableFlags: map[string]string{"test": `"foo": "bar"`},
}
js.Canonicalize()
must.Eq(t, js.VariableFlags["test"], "%22foo%22%3A+%22bar%22")
})
}

Expand Down
11 changes: 10 additions & 1 deletion command/agent/job_endpoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"io"
"maps"
"net/http"
"net/url"
"slices"
"strconv"
"strings"
Expand Down Expand Up @@ -493,7 +494,8 @@ func (s *HTTPServer) jobSubmissionQuery(resp http.ResponseWriter, req *http.Requ
}

var out structs.JobSubmissionResponse
if err := s.agent.RPC("Job.GetJobSubmission", &args, &out); err != nil {
err := s.agent.RPC("Job.GetJobSubmission", &args, &out)
if err != nil {
return nil, err
}

Expand All @@ -502,6 +504,13 @@ func (s *HTTPServer) jobSubmissionQuery(resp http.ResponseWriter, req *http.Requ
return nil, CodedError(404, "job source not found")
}

for k, v := range out.Submission.VariableFlags {
out.Submission.VariableFlags[k], err = url.QueryUnescape(v)
if err != nil {
return nil, err
}
}

return out.Submission, nil
}

Expand Down
3 changes: 2 additions & 1 deletion ui/app/utils/json-to-hcl.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ export default function jsonToHcl(obj) {

for (const key in obj) {
const value = obj[key];
const hclValue = typeof value === 'string' ? `"${value}"` : value;
const hclValue = typeof value === 'string' ? JSON.stringify(value) : value;

hclLines.push(`${key}=${hclValue}\n`);
}

Expand Down

0 comments on commit c21dfdb

Please sign in to comment.