SHA256
1
0
forked from pool/cloud-init
cloud-init/hidesensitivedata
Robert Schweikert 6b35b75868 - Sensitive data exposure (bsc#1210277, CVE-2023-1786)
+ Add hidesensitivedata 
  + Add cloud-init-cve-2023-1786-redact-inst-data.patch
  + Do not expose sensitive data gathered from the CSP

OBS-URL: https://build.opensuse.org/package/show/Cloud:Tools/cloud-init?expand=0&rev=207
2023-04-27 12:35:39 +00:00

37 lines
853 B
Python

#!/usr/bin/python3
import json
import os
import sys
from pathlib import Path
from cloudinit.atomic_helper import write_json
from cloudinit.sources import (
DataSource,
process_instance_metadata,
redact_sensitive_keys,
)
from cloudinit.stages import Init
init = Init()
log_file = init.cfg["def_log_file"]
if os.path.exists(log_file):
os.chmod(log_file, 0o640)
rundir = init.paths.run_dir
instance_data_path = Path(rundir, "instance-data.json")
if not os.path.exists(str(instance_data_path)):
sys.exit(0)
instance_json = json.load(instance_data_path.open(encoding="utf-8"))
sensitive_keys = DataSource.sensitive_metadata_keys
processed_json = process_instance_metadata(
instance_json, sensitive_keys=sensitive_keys
)
redacted_json = redact_sensitive_keys(processed_json)
write_json(str(instance_data_path), redacted_json)