From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 3 Jul 2019 14:16:22 +0000 (+0200)
Subject: [PATCH] DebugRequestMiddleware: Remove path handling
X-Git-Tag: archive/raspbian/18.09.1+dfsg1-7.1+rpi1+deb10u2^2~22
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=76b548695988888dff83fa159a0a3808a84cbfb5;p=docker.io.git

[PATCH] DebugRequestMiddleware: Remove path handling

Path-specific rules were removed, so this is no longer used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 530e63c1a61b105a6f7fc143c5acb9b5cd87f958)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit f8a0f26843bc5aff33cf9201b75bd4bdbb48a3ad)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: upstream, https://github.com/docker/engine/pull/298

Gbp-Pq: Name cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch
---

diff --git a/engine/api/server/middleware/debug.go b/engine/api/server/middleware/debug.go
index 31165bf9..a02c1bc7 100644
--- a/engine/api/server/middleware/debug.go
+++ b/engine/api/server/middleware/debug.go
@@ -41,7 +41,7 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 
 		var postForm map[string]interface{}
 		if err := json.Unmarshal(b, &postForm); err == nil {
-			maskSecretKeys(postForm, r.RequestURI)
+			maskSecretKeys(postForm)
 			formStr, errMarshal := json.Marshal(postForm)
 			if errMarshal == nil {
 				logrus.Debugf("form data: %s", string(formStr))
@@ -54,18 +54,10 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 	}
 }
 
-func maskSecretKeys(inp interface{}, path string) {
-	// Remove any query string from the path
-	idx := strings.Index(path, "?")
-	if idx != -1 {
-		path = path[:idx]
-	}
-	// Remove trailing / characters
-	path = strings.TrimRight(path, "/")
-
+func maskSecretKeys(inp interface{}) {
 	if arr, ok := inp.([]interface{}); ok {
 		for _, f := range arr {
-			maskSecretKeys(f, path)
+			maskSecretKeys(f)
 		}
 		return
 	}
@@ -92,7 +84,7 @@ func maskSecretKeys(inp interface{}, path string) {
 					continue loop0
 				}
 			}
-			maskSecretKeys(v, path)
+			maskSecretKeys(v)
 		}
 	}
 }
diff --git a/engine/api/server/middleware/debug_test.go b/engine/api/server/middleware/debug_test.go
index 361273fe..fb1740d5 100644
--- a/engine/api/server/middleware/debug_test.go
+++ b/engine/api/server/middleware/debug_test.go
@@ -10,49 +10,16 @@ import (
 func TestMaskSecretKeys(t *testing.T) {
 	tests := []struct {
 		doc      string
-		path     string
 		input    map[string]interface{}
 		expected map[string]interface{}
 	}{
 		{
-			doc:      "secret create with API version",
-			path:     "/v1.30/secrets/create",
+			doc:      "secret/config create and update requests",
 			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
 			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
 		},
 		{
-			doc:      "secret create with API version and trailing slashes",
-			path:     "/v1.30/secrets/create//",
-			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
-			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
-		},
-		{
-			doc:      "secret create with query param",
-			path:     "/secrets/create?key=val",
-			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
-			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
-		},
-		{
-			doc:      "secret update with API version",
-			path:     "/v1.30/secrets/mysecret/update",
-			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
-			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
-		},
-		{
-			doc:      "secret update with API version and trailing slashes",
-			path:     "/v1.30/secrets/mysecret/update//",
-			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
-			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
-		},
-		{
-			doc:      "secret update with query parameter",
-			path:     "/secrets/mysecret/update?version=34",
-			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
-			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
-		},
-		{
-			doc:  "other paths with API version",
-			path: "/v1.30/some/other/path",
+			doc: "masking other fields (recursively)",
 			input: map[string]interface{}{
 				"password":     "pass",
 				"secret":       "secret",
@@ -83,8 +50,7 @@ func TestMaskSecretKeys(t *testing.T) {
 			},
 		},
 		{
-			doc:  "other paths with API version case insensitive",
-			path: "/v1.30/some/other/path",
+			doc: "case insensitive field matching",
 			input: map[string]interface{}{
 				"PASSWORD": "pass",
 				"other": map[string]interface{}{
@@ -102,7 +68,7 @@ func TestMaskSecretKeys(t *testing.T) {
 
 	for _, testcase := range tests {
 		t.Run(testcase.doc, func(t *testing.T) {
-			maskSecretKeys(testcase.input, testcase.path)
+			maskSecretKeys(testcase.input)
 			assert.Check(t, is.DeepEqual(testcase.expected, testcase.input))
 		})
 	}