Commit 42db2ee2 authored by Jason Plum's avatar Jason Plum

Merge branch '1214-quote-passwords' into 'master'

Escape and quote all passwords in ERB templates

Closes #1214

See merge request charts/gitlab!869

(cherry picked from commit 0c67bcf0)

a577ab3d Escape and quote all passwords in ERB
parent 5bbe60ee
Pipeline #71968347 passed with stages
in 72 minutes and 34 seconds
---
title: Escape and quote all passwords in ERB templates
merge_request: 869
author:
type: fixed
......@@ -33,7 +33,7 @@ data:
<% raise Exception, "Storage for node #{@index} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %>
<% end %>
[auth]
token = "<%= File.read('/etc/gitlab-secrets/gitaly/gitaly_token') %>"
token = "<%= File.read('/etc/gitlab-secrets/gitaly/gitaly_token').strip.dump[1..-2] %>"
[gitaly-ruby]
# The directory where gitaly-ruby is installed
......@@ -63,7 +63,7 @@ data:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/redis_password") %>"
pass: "<%= File.read("/etc/gitlab-secrets/redis/redis_password").strip.dump[1..-2] %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
......@@ -17,7 +17,7 @@ data:
methods:
- probe_db
opts:
connection_string: dbname={{ template "gitlab.psql.database" . }} user={{ template "gitlab.psql.username" . }} host={{ template "gitlab.psql.host" . }} port={{ template "gitlab.psql.port" . }} password='<%= File.read("/etc/gitlab/postgres/psql-password") %>'
connection_string: dbname={{ template "gitlab.psql.database" . }} user={{ template "gitlab.psql.username" . }} host={{ template "gitlab.psql.host" . }} port={{ template "gitlab.psql.port" . }} password='<%= File.read("/etc/gitlab/postgres/psql-password").strip.gsub(/[\'\\]/) { |esc| '\\' + esc } %>'
database:
multiple: true
ci_builds:
......
......@@ -32,7 +32,7 @@ data:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/password") %>"
pass: "<%= File.read("/etc/gitlab-secrets/redis/password").strip.dump[1..-2] %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
......@@ -16,7 +16,7 @@ data:
:ssl: {{ .ssl }}
:start_tls: {{ .startTls }}
:email: {{ .user }}
:password: "<%= File.read("/etc/gitlab/mailroom/password") %>"
:password: "<%= File.read("/etc/gitlab/mailroom/password").strip.dump[1..-2] %>"
:idle_timeout: {{ .idleTimeout }}
:name: {{ .mailbox }}
:delete_after_delivery: true
......
......@@ -14,7 +14,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......
......@@ -16,7 +16,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......
......@@ -14,7 +14,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
{{- include "gitlab.psql.ssl.config" . | indent 6 }}
......
......@@ -16,7 +16,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......@@ -190,7 +190,7 @@ data:
[redis]
URL = "{{ template "gitlab.redis.scheme" . }}://{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}"
{{- if .Values.global.redis.password.enabled }}
Password = "<%= File.read("/etc/gitlab/redis/password") %>"
Password = "<%= File.read("/etc/gitlab/redis/password").strip.dump[1..-2] %>"
{{- end }}
configure: |
set -e
......
{{- define "gitlab.appConfig.gitaly" -}}
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token') %>"
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
{{- end -}}
{{- define "gitlab.appConfig.repositories" -}}
......
......@@ -25,7 +25,7 @@ Usage example:
{{- $.name }}:
{{- toYaml (omit $.config "password") | trimSuffix "\n" | nindent 2 -}}
{{- if and $.config.password (not (kindIs "string" $.config.password ))}}
password: "<%= File.read('/etc/gitlab/ldap/{{ $.name }}/password') %>"
password: "<%= File.read('/etc/gitlab/ldap/{{ $.name }}/password').strip.dump[1..-2] %>"
{{- end -}}
{{- end -}}{{/* gitlab.appConfig.ldap.servers.configuration */}}
......
......@@ -22,8 +22,8 @@ object_store:
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey') %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey') %>"
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: {{ template "gitlab.minio.hostname" .context }}
endpoint: {{ template "gitlab.minio.endpoint" .context }}
path_style: true
......
......@@ -13,8 +13,8 @@ pseudonymizer:
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey') %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey') %>"
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: {{ template "gitlab.minio.hostname" $ }}
endpoint: {{ template "gitlab.minio.endpoint" $ }}
path_style: true
......
......@@ -40,5 +40,5 @@ Return the redis scheme, or redis. Allowing people to use rediss clusters
Return the redis url.
*/}}
{{- define "gitlab.redis.url" -}}
{{ template "gitlab.redis.scheme" . }}://{{- if .Values.global.redis.password.enabled -}}:<%= File.read("/etc/gitlab/redis/password") %>@{{- end -}}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{ template "gitlab.redis.scheme" . }}://{{- if .Values.global.redis.password.enabled -}}:<%= URI.escape(File.read("/etc/gitlab/redis/password").strip) %>@{{- end -}}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{- end -}}
......@@ -18,7 +18,7 @@ ActionMailer::Base.smtp_settings = {
{{ if has .Values.global.smtp.authentication (list "login" "plain" "cram_md5") }}
authentication: :{{.Values.global.smtp.authentication}},
user_name: {{ .Values.global.smtp.user_name | quote }},
password: File.read("/etc/gitlab/smtp/smtp-password"),
password: File.read("/etc/gitlab/smtp/smtp-password").strip,
{{- end }}
{{- if .Values.global.smtp.starttls_auto }}
enable_starttls_auto: true,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment