Project

Profile

Help

Issue #6402

secret fields on Remote objects can cause mutation of data

Added by dkliban@redhat.com 9 days ago. Updated 7 days ago.

Status:
MODIFIED
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 69

Description

When using the bindings, if you take the FileRemote object returned by the read() or create() method and pass it to the update() method, the client_cert field gets updated to a new value. This will be true for any SecretCharField.



        (Pdb) file_remote
        {'ca_cert': None,
         'client_cert': 'b3226466e6d9c43c7058f69e1ff41daaf688cd223c084faa3e28202813ecff28',
         'client_key': None,
         'download_concurrency': 20,
         'name': 'bar25',
         'policy': 'immediate',
         'proxy_url': None,
         'pulp_created': datetime.datetime(2020, 3, 25, 17, 9, 13, 631685, tzinfo=tzlocal()),
         'pulp_href': '/pulp/api/v3/remotes/file/file/e42eea0d-e583-45ce-bdca-342169385cb2/',
         'pulp_last_updated': datetime.datetime(2020, 3, 25, 17, 9, 13, 631703, tzinfo=tzlocal()),
         'tls_validation': True,
         'url': 'https://repos.fedorapeople.org/pulp/pulp/demo_repos/test_file_repo/PULP_MANIFEST'}
        (Pdb) fileremotes.update(file_remote.pulp_href, file_remote)
        {'task': '/pulp/api/v3/tasks/ec6a2bb6-4ce4-4a0e-ab1c-62d37aecfd27/'}
        (Pdb) file_updated_remote = fileremotes.read(file_remote.pulp_href)
        (Pdb) file_updated_remote
        {'ca_cert': None,
         'client_cert': '7fc2a6b69d81c4581eac98454217b173a8b23256eefad0bb9eaabe199d8baae8',
         'client_key': None,
         'download_concurrency': 20,
         'name': 'bar25',
         'policy': 'immediate',
         'proxy_url': None,
         'pulp_created': datetime.datetime(2020, 3, 25, 17, 9, 13, 631685, tzinfo=tzlocal()),
         'pulp_href': '/pulp/api/v3/remotes/file/file/e42eea0d-e583-45ce-bdca-342169385cb2/',
         'pulp_last_updated': datetime.datetime(2020, 3, 25, 17, 10, 37, 747011, tzinfo=tzlocal()),
         'tls_validation': True,
         'url': 'https://repos.fedorapeople.org/pulp/pulp/demo_repos/test_file_repo/PULP_MANIFEST'}
         


Associated revisions

Revision e22b3725 View on GitHub
Added by dkliban@redhat.com 8 days ago

Ignores secret fields if the incoming value is the sha256 checksum of current value

fixes: #6402 https://pulp.plan.io/issues/6402

Revision a7da2e1d View on GitHub
Added by dkliban@redhat.com 7 days ago

Ignores secret fields if the incoming value is the sha256 checksum of current value

fixes: #6402 https://pulp.plan.io/issues/6402 (cherry picked from commit e22b3725c6ac51e5ef29a107b2012459c36d6dab)

History

#1 Updated by pulpbot 9 days ago

  • Status changed from ASSIGNED to POST

#2 Updated by dkliban@redhat.com 8 days ago

  • Status changed from POST to MODIFIED

Please register to edit this issue

Also available in: Atom PDF