StarlingX

collect failed to properly parse passwords with repeated special characters

Bug #2019511 reported by Eric MacDonald on 2023-05-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	Eric MacDonald

Bug Description

Brief Description
-----------------
The starlingX collect tool handles escaping single cases of ] [ \ " $ but not multiple.

Severity
--------
Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
Create a sysadmin password with double of the aforementioned special characters. Like $$$passwd123$$$.

Expected Behavior
------------------
Collect parses the sudo pw properly

Actual Behavior
----------------
Collect fails to parse the sudo passwd properly

Reproducibility
---------------
100%

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
Any prior to this issue report

Last Pass
---------
Test escape, never tested.

Timestamp/Logs
--------------

controller-0:~$ collect
[sudo] password for sysadmin:
can't read "word123": no such variable
    while executing
"send "'@Pa\$$word123@'\r""
    invoked from within
"expect {
        "assword:" {
            send "'@Pa\$$word123@'\r"
            expect {
                "expect done" { exit 0 }
          ..."
Error: failed to create_collect_dir_local for /scratch/controller-0_20230512.012005 (reason:1)

Test Activity
-------------
Normal use

Workaround
----------
Avoid sysadmin passwords with more that one of each of the following characters \ [ ] $ "

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-05-15: Fix proposed to utilities (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/utilities/+/883153

Changed in starlingx:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-05-23: Fix merged to utilities (master)

Download full text (3.4 KiB)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/883153
Committed: https://opendev.org/starlingx/utilities/commit/55db5c8470eedd958ea9e15807f1a59e1367a7e8
Submitter: "Zuul (22348)"
Branch: master

commit 55db5c8470eedd958ea9e15807f1a59e1367a7e8
Author: Eric MacDonald <email address hidden>
Date: Mon May 15 07:55:20 2023 -0400

Add multi special character password handling to collect

Add handling for passwords that have duplicate special
characters.

For instance without this update, passing collect the following
sudo password would fail while with this update it succeeds.

[[Pa$$word123]]

The following characters are verified to require escapes.

    1. [ and ] (square brackets) [$$Copper1$$] … escaped by collect
    2. ? (question mark) ?Copper123? … escaped by collect
    3. $ (dollar sign) $Copper123$ … escaped by collect
    4. " (double quotes) “<Mooser123>” … escaped by collect
    5. \ (backslash) \Mooser1\ … escaped by collect

Note that the backslash '\' must be escaped by the user. For instance to enter a password with backslashes that reads like this \Copper123\ it must be escaped going in like this \\Copper123\\

The following special characters are verified to not require escapes.

    6. & (ampersand) &Copper123& … no escape needed
    7. ( and ) (parentheses) (Duffy123) … no escape needed
    8. { and } (curly braces) {HealthCare123} … no escape needed
    9. ; (semicolon) ;Copper123; … no escape needed
    10. | (pipe) |PasswdTst123| … no escape needed
    11. < (less than) <Mooser123> … no escape needed
    12. > (greater than) <|>Copper123<|> … no escape needed
    13. >> (double greater than) >>Mooser321<< … no escape needed
    14. ' (single quotes) ‘Copper911’ … no escape needed
    15. * (asterisk) *Mooser123* … no escape needed
    16. # (hash or pound sign) #Mooser123# … no escape needed
    17. ! (exclamation mark) !!@$Mooser1$@!! … no escape needed
    18. ~ (tilde) ~Copper1~ … no escape needed
    19. @ (at symbol) @Passwd1@ … no escape needed
    20. ^ (caret) @^Myword1^@ … no escape needed

Test Plan:

PASS: Build and Install Debian Image
PASS: Run collect with typical password

The following password patterns were verified to be parsed
properly and all verified to work with collect.

    PASS: [[Pa$$word123]] -> \[\[Pa\$\$word123\]\]
    PASS: $$Passwd123$$ -> \$\$Passwd123\$\$
    PASS: \Passwd1\ -> \\Passwd1\\
    PASS: "Passwd1" -> \"Passwd1\"
    PASS: [Passwd1] -> \[Passwd1\]
    PASS: $Passwd1$ -> \$Passwd1\$
    PASS: Li69nux* -> Li69nux*
    PASS: "[Li69nux*]" -> \"\[Li69nux*\]\"
    PASS: St8rlingX* -> St8rlingX*
    PASS: $t8rlingX* -> \$t8rlingX*
    PASS: $[$$Passwd1$$]$ -> \$\[\$\$Passwd1\$\$\]\$
    PASS: "]\\$Passwd1$\\[" -> \"\]\\\\\$Passwd1\$\\\\\[\"
    PASS: [[$$$[Passwd1]$$$] -> \[\[\$\$\$...

Reviewed:  https://review.opendev.org/c/starlingx/utilities/+/883153
Committed: https://opendev.org/starlingx/utilities/commit/55db5c8470eedd958ea9e15807f1a59e1367a7e8
Submitter: "Zuul (22348)"
Branch:    master

commit 55db5c8470eedd958ea9e15807f1a59e1367a7e8
Author: Eric MacDonald <eric.macdonald@windriver.com>
Date:   Mon May 15 07:55:20 2023 -0400

Add multi special character password handling to collect
    
    Add handling for passwords that have duplicate special
    characters.
    
    For instance without this update, passing collect the following
    sudo password would fail while with this update it succeeds.
    
        [[Pa$$word123]]
    
    The following characters are verified to require escapes.
    
    1.  [ and ] (square brackets)  [$$Copper1$$]   … escaped by collect
    2.  ? (question mark)          ?Copper123?     … escaped by collect
    3.  $ (dollar sign)            $Copper123$     … escaped by collect
    4.  " (double quotes)          “<Mooser123>”   … escaped by collect
    5.  \ (backslash)              \Mooser1\       … escaped by collect
    
    Note that the backslash '\' must be escaped by the user. For instance to enter a password with backslashes that reads like this \Copper123\ it must be escaped going in like this \\Copper123\\
    
    The following special characters are verified to not require escapes.
    
    6.  & (ampersand)              &Copper123&     … no escape needed
    7.  ( and ) (parentheses)      (Duffy123)      … no escape needed
    8.  { and } (curly braces)     {HealthCare123} … no escape needed
    9.  ; (semicolon)              ;Copper123;     … no escape needed
    10. | (pipe)                   |PasswdTst123|  … no escape needed
    11. < (less than)              <Mooser123>     … no escape needed
    12. > (greater than)           <|>Copper123<|> … no escape needed
    13. >> (double greater than)   >>Mooser321<<   … no escape needed
    14. ' (single quotes)          ‘Copper911’     … no escape needed
    15. * (asterisk)               *Mooser123*     … no escape needed
    16. # (hash or pound sign)     #Mooser123#     … no escape needed
    17. ! (exclamation mark)       !!@$Mooser1$@!! … no escape needed
    18. ~ (tilde)                  ~Copper1~       … no escape needed
    19. @ (at symbol)              @Passwd1@       … no escape needed
    20. ^ (caret)                  @^Myword1^@     … no escape needed
    
    Test Plan:
    
    PASS: Build and Install Debian Image
    PASS: Run collect with typical password
    
    The following password patterns were verified to be parsed
    properly and all verified to work with collect.
    
    PASS: [[Pa$$word123]] -> \[\[Pa\$\$word123\]\]
    PASS: $$Passwd123$$ -> \$\$Passwd123\$\$
    PASS: \Passwd1\ -> \\Passwd1\\
    PASS: "Passwd1" -> \"Passwd1\"
    PASS: [Passwd1] -> \[Passwd1\]
    PASS: $Passwd1$ -> \$Passwd1\$
    PASS: Li69nux* -> Li69nux*
    PASS: "[Li69nux*]" -> \"\[Li69nux*\]\"
    PASS: St8rlingX* -> St8rlingX*
    PASS: $t8rlingX* -> \$t8rlingX*
    PASS: $[$$Passwd1$$]$ -> \$\[\$\$Passwd1\$\$\]\$
    PASS: "]\\$Passwd1$\\[" -> \"\]\\\\\$Passwd1\$\\\\\[\"
    PASS: [[$$$[Passwd1]$$$] -> \[\[\$\$\$\[Passwd1\]\$\$\$\]
    PASS: ""[[[$$$Passwd1$$$]]]"" -> \"\"\[\[\[\$\$\$Passwd1\$\$\$\]\]\]\"\"
    
    Closes-Bug: 2019511
    Change-Id: I7d1f3b1e3814b6acb017994bc3a2822ea3ff0244
    Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2023-08-05

Changed in starlingx:
importance:	Undecided → Low
assignee:	nobody → Eric MacDonald (rocksolidmtce)
tags:	added: stx.9.0 stx.tools

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.