Project

Profile

Help

Issue #6402

closed

secret fields on Remote objects can cause mutation of data

Added by dkliban@redhat.com over 4 years ago. Updated over 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 69
Quarter:

Description

When using the bindings, if you take the FileRemote object returned by the read() or create() method and pass it to the update() method, the client_cert field gets updated to a new value. This will be true for any SecretCharField.



        (Pdb) file_remote
        {'ca_cert': None,
         'client_cert': 'b3226466e6d9c43c7058f69e1ff41daaf688cd223c084faa3e28202813ecff28',
         'client_key': None,
         'download_concurrency': 20,
         'name': 'bar25',
         'policy': 'immediate',
         'proxy_url': None,
         'pulp_created': datetime.datetime(2020, 3, 25, 17, 9, 13, 631685, tzinfo=tzlocal()),
         'pulp_href': '/pulp/api/v3/remotes/file/file/e42eea0d-e583-45ce-bdca-342169385cb2/',
         'pulp_last_updated': datetime.datetime(2020, 3, 25, 17, 9, 13, 631703, tzinfo=tzlocal()),
         'tls_validation': True,
         'url': 'https://repos.fedorapeople.org/pulp/pulp/demo_repos/test_file_repo/PULP_MANIFEST'}
        (Pdb) fileremotes.update(file_remote.pulp_href, file_remote)
        {'task': '/pulp/api/v3/tasks/ec6a2bb6-4ce4-4a0e-ab1c-62d37aecfd27/'}
        (Pdb) file_updated_remote = fileremotes.read(file_remote.pulp_href)
        (Pdb) file_updated_remote
        {'ca_cert': None,
         'client_cert': '7fc2a6b69d81c4581eac98454217b173a8b23256eefad0bb9eaabe199d8baae8',
         'client_key': None,
         'download_concurrency': 20,
         'name': 'bar25',
         'policy': 'immediate',
         'proxy_url': None,
         'pulp_created': datetime.datetime(2020, 3, 25, 17, 9, 13, 631685, tzinfo=tzlocal()),
         'pulp_href': '/pulp/api/v3/remotes/file/file/e42eea0d-e583-45ce-bdca-342169385cb2/',
         'pulp_last_updated': datetime.datetime(2020, 3, 25, 17, 10, 37, 747011, tzinfo=tzlocal()),
         'tls_validation': True,
         'url': 'https://repos.fedorapeople.org/pulp/pulp/demo_repos/test_file_repo/PULP_MANIFEST'}
         


Actions #1

Updated by pulpbot over 4 years ago

  • Status changed from ASSIGNED to POST

Added by dkliban@redhat.com over 4 years ago

Revision e22b3725 | View on GitHub

Ignores secret fields if the incoming value is the sha256 checksum of current value

fixes: #6402 https://pulp.plan.io/issues/6402

Actions #2

Updated by dkliban@redhat.com over 4 years ago

  • Status changed from POST to MODIFIED

Added by dkliban@redhat.com over 4 years ago

Revision a7da2e1d | View on GitHub

Ignores secret fields if the incoming value is the sha256 checksum of current value

fixes: #6402 https://pulp.plan.io/issues/6402 (cherry picked from commit e22b3725c6ac51e5ef29a107b2012459c36d6dab)

Actions #4

Updated by ttereshc over 4 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
  • Sprint/Milestone set to 3.3.0

Also available in: Atom PDF