chef-server icon indicating copy to clipboard operation
chef-server copied to clipboard
verified publisher icon chef

Chef Server API should not allow client-names with newline characters

Open PrajaktaPurohit opened this issue 10 years ago • 5 comments

In the current chef-server we can create a client with name "staging-mike\n". That should not be allowed.

REF: https://github.com/chef/chef-server/issues/90

Issue noted in : https://getchef.zendesk.com/agent/tickets/3212

PrajaktaPurohit avatar Mar 06 '15 19:03 PrajaktaPurohit

Similar to #90, I tried to recreate this. I got a 400 response from the server with the message {"error":["Invalid client name 'testing_\nclient' using regex: 'Malformed client name. Must be A-Z, a-z, 0-9, _, -, or .'."]}

The input here was:

"(<<-EOM)"
testing
client
EOM

Is it possible that this client was modified through an external means?

marcparadise avatar Mar 06 '15 20:03 marcparadise

This is possible via the API on a PUT to an existing client:

chef > api.get("/clients").keys
 => ["acme-validator", "foobar"]
chef > api.put("/clients/foobar", name: "foobar\n"); nil
 => nil
chef > api.get("/clients").keys
 => ["acme-validator", "foobar\n"]

stevendanna avatar Mar 06 '15 23:03 stevendanna

Hello,

The solution proposed by stevendanna id not working with Chef Server 12. I tried to change the name with: chef-shell > clients.transform(":") do |client| if client.name =~ /borat/i client.name("barot") else nil end end

The result indicated that the name changed correctly but after executing the command "clients.all", the name of the client is still always:

name => 'XXXXXX ' So, with this modification I'm able to access to the client in the web UI of Chef.

n4rk0o avatar Oct 13 '15 12:10 n4rk0o

Any tips for getting rid of a client with a newline?

ghost avatar Jan 10 '19 16:01 ghost

We solved this by renaming the client from within postgres, and then deleting the client with knife.

For example, if the bad hostname was "foobar\n", I'd do something like this:

opscode_chef=# SELECT * FROM clients WHERE name LIKE 'foobar%' LIMIT 10;
opscode_chef=# UPDATE clients
opscode_chef-# SET name = 'foobar'
opscode_chef-# WHERE
# id is pulled from the SELECT query
opscode_chef-#  id = 'fae12048578e9f7777a66999b9' AND
opscode_chef-#  name LIKE 'foobar%';
UPDATE 1

opscode_chef=# SELECT * FROM clients WHERE name LIKE 'foobar%' LIMIT 10;

Then, optionally, you can delete it with knife:

knife client delete foobar
Do you really want to delete foobar? (Y/N) y
Deleted client[foobar]

This worked fine for us, but may have consequences. Perform at your own risk! :shrug:

biox avatar Aug 23 '21 14:08 biox