-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ANSI escape characters in kubectl output are not being filtered #101695
Comments
/sig api-machinery |
I think the problem should be I built an image
|
We'll let the sig-cli to take a pass first. Please re-tag sig-apimachinery if needed. /remove-sig api-machinery |
Any update on this issue? |
Any updates? |
@g3rzi apologies, this slipped my attention, I'll have a look at it later this week |
Hi @soltysh, did you have time to look at this issue? |
Any update? |
Hi @soltysh, did you have time to look at this issue? |
Hi @soltysh, did you have time to look at this issue? |
cc: @RinkiyaKeDad |
I can also help with this 🙂 /assign |
/triage accepted |
I spoke with @RinkiyaKeDad, he'll be looking at the this. In short I'm proposing to update kubernetes/staging/src/k8s.io/cli-runtime/pkg/printers/json.go Lines 37 to 82 in 758ad07
strconv.QuoteToASCII which was also proposed in this golang issue.
|
IMO this should apply to all arbitrary strings output to a terminal by command line tools. It's probably simpler to just put a catch-all around kubectl output to escape control characters, but I'm not sure if kubectl intentionally uses control characters anywhere. I am neutral on whether the escaping should still be applied when the kubectl output is piped to another command. I do NOT think the escaping should be applied server side. This is only an issue for tools outputting the data to a terminal. |
kubectl uses ansi escape codes (color, bold ...) when printing warnings since #73032 |
@RinkiyaKeDad that related issue #104962 (comment) closed waiting on solution design Am I correct that there is currently no fix for this issue, assigned |
@RSAlderman from what I'm aware of, #104962 was the only PR out to fix this. |
@RinkiyaKeDad thanks for the prompt response. You said last week in #104962
I presume that PR will be referenced from this issue when it is produced and then backported to 1.22 and 1.21 too? |
Sorry I'm afraid I don't know if this will happen or not. Let's wait for what others have to say 🙂 |
As noted in #107617, this also applies to display of annotations |
Are there any news regarding potential patch to this vulnerability? |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/lifecycle frozen |
there is currently no fix for this issue?, assigned to CVE-2021-25743 |
Team, Any fix for this vulnerability? Thanks in advance. |
@buckaroogeek asked about it already in the PR, but got no response for 11 months, so I'll ask again here: will the fix be applied to 1.25 and 1.24? @dgl @g3rzi |
@DamianSawicki - thanks for checking again. I suspect this is almost moot. 1.24 is no longer supported and 1.25 end-of-life was supposed to be 2023.10.27. |
It's unlikely this will be backported now. Note that a 1.25 cluster can be used with kubectl 1.26 per version skew policy and 1.24 on the cluster is likely fine too in this case, so given those are out of support it doesn't make sense to backport, just use a newer kubectl. |
I see, thank you both for the answers! |
It is a security issue, but after contacting [email protected], Tim and the team confirmed that they are comfortable posting it publicly.
What happened:
Kubernetes doesn't sanitize the 'message' field in the Event JSON objects.
Notice that this is relevant only to JSON objects, not YAML objects.
By creating new event, we can insert ANSI escape characters inside the "message" field, like:
This an example of such JSON request:
The codes:
\u001b[2J
-> Clean the screen and history\u001b[3J
-> Clean the entire screen and delete all lines saved in the scrollback buffer\u001b[1;1H
-> Moves the cursor position to row 1, column 1 (beginning).\u001b[m
-> Set the colors\u001b[60C
-> Move the cursor forward 60 steps\u001b[1;1m
-> Set the text colors to whiteThe result is that the text was spoofed, and we could spoof the events, create hidden events, or hide other events.
What you expected to happen:
The ANSI escape characters will be filtered so they couldn't affect the terminal (i.e. using embeded ANSI colors won't do anything to the terminal).
Or maybe some message that says that you can't use ANSI escape characters.
How to reproduce it (as minimally and precisely as possible):
It will create a new event.
kubectl get events
, you will see that the screen was clear, you will get a "spoof" message, and all the rest events or columns were gone.Anything else we need to know?:
It might look like a low severity issue, but there are other variety of things we can do, from DoS by using colors to hide all the events, changing the title of the terminal window, and spoof the data.
It can affect other systems that are using Kubernetes events, such as monitoring applications. It doesn't have to be only the Kubernetes events. There might be other vulnerable objects that we didn't find or other systems that create new objects that count on this mechanism.
ANSI escape characters were used to abuse terminals emulators and even cause code execution if the terminal is vulnerable (like CVE-2003-0069).
Environment:
kubectl version
):cat /etc/os-release
):uname -a
):The text was updated successfully, but these errors were encountered: