ERB: secrets containing some special characters can lead to invalid YAML
Summary
Current behaviors for handling of read-in Secret content from files is not properly handling strings, resulting in invalid YAML.
Steps to reproduce
Place Gitaly's token secret with the content of my$peci4l#pass
.
Configuration used
Default, other than the content of the gitaly token secret
Current behavior
gitaly:
gitaly_token: "my$pecial\#pass"
Expected behavior
gitaly:
gitaly_token: "my$pecial#pass"
Versions
- Chart: > 2.1.x (Since %12.1)
- Platform: N/A
- Kubernetes: N/A
- Helm: N/A
Relevant logs
Application won't be able to run Migration properly, because Rails can't load configuration due to invalid yaml.
Resulting failure, when attempting to manually test:
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('gitaly_token').strip.dump[1..-2] %>"
chomped: "<%= File.read('gitaly_token').strip.chomp %>"
$ echo 'my$pecial#pass' > gitaly_token
$ erb test.erb > out.yaml
$ ruby -ryaml -e 'YAML.load(File.read("out.yaml"))'
Traceback (most recent call last):
4: from -e:1:in `<main>'
3: from /home/whse/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/psych.rb:277:in `load'
2: from /home/whse/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/psych.rb:390:in `parse'
1: from /home/whse/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/psych.rb:456:in `parse_stream'
/home/whse/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/psych.rb:456:in `parse': (<unknown>): found unknown escape character while parsing a quoted scalar at line 3 column 10 (Psych::SyntaxError
Related to #1214 (closed)
Acceptance Critera
-
Replace all uses of "<%= x.dump[1..-2] =>"
with<%= x.to_json =>
-
Replace all uses of "{% x | strings.TrimSpace %}"
with{% x | strings.TrimSpace | strings.Squote %}
-
Update any RSpecs impacted by the above -
Add note to doc/development/style_guide.md
regarding templating passwords from files
Edited by Jason Plum