Chef Server API should not allow client-names with newline characters #124

PrajaktaPurohit · 2015-03-06T19:47:31Z

In the current chef-server we can create a client with name "staging-mike\n".
That should not be allowed.

REF: #90

Issue noted in : https://getchef.zendesk.com/agent/tickets/3212

marcparadise · 2015-03-06T20:08:18Z

Similar to #90, I tried to recreate this. I got a 400 response from the server with the message
{"error":["Invalid client name 'testing_\nclient' using regex: 'Malformed client name. Must be A-Z, a-z, 0-9, _, -, or .'."]}

The input here was:

"(<<-EOM)"
testing
client
EOM

Is it possible that this client was modified through an external means?

stevendanna · 2015-03-06T23:14:08Z

This is possible via the API on a PUT to an existing client:

chef > api.get("/clients").keys
 => ["acme-validator", "foobar"]
chef > api.put("/clients/foobar", name: "foobar\n"); nil
 => nil
chef > api.get("/clients").keys
 => ["acme-validator", "foobar\n"]

n4rk0o · 2015-10-13T12:19:05Z

Hello,

The solution proposed by stevendanna id not working with Chef Server 12. I tried to change the name with:
chef-shell > clients.transform(":") do |client|
if client.name =~ /borat/i
client.name("barot")
else
nil
end
end

The result indicated that the name changed correctly but after executing the command "clients.all", the name of the client is still always:

name => 'XXXXXX
'
So, with this modification I'm able to access to the client in the web UI of Chef.

ghost · 2019-01-10T16:12:38Z

Any tips for getting rid of a client with a newline?

biox · 2021-08-23T14:20:43Z

We solved this by renaming the client from within postgres, and then deleting the client with knife.

For example, if the bad hostname was "foobar\n", I'd do something like this:

opscode_chef=# SELECT * FROM clients WHERE name LIKE 'foobar%' LIMIT 10;
opscode_chef=# UPDATE clients
opscode_chef-# SET name = 'foobar'
opscode_chef-# WHERE
# id is pulled from the SELECT query
opscode_chef-#  id = 'fae12048578e9f7777a66999b9' AND
opscode_chef-#  name LIKE 'foobar%';
UPDATE 1

opscode_chef=# SELECT * FROM clients WHERE name LIKE 'foobar%' LIMIT 10;

Then, optionally, you can delete it with knife:

knife client delete foobar
Do you really want to delete foobar? (Y/N) y
Deleted client[foobar]

This worked fine for us, but may have consequences. Perform at your own risk! 🤷

marcparadise mentioned this issue Mar 6, 2015

Chef Server API should not allow usernames with spaces #90

Closed

stevendanna added the bug label Mar 10, 2015

sdelano added this to the accepted-minor milestone Jun 10, 2015

tas50 added Type: Bug Does not work as expected. and removed bug labels Jan 4, 2019

PrajaktaPurohit added Status: To be prioritized Indicates that product needs to prioritize this issue. Triage: Try Reproducing Indicates that this issue needs to be reproduced. labels Jul 17, 2020

stevendanna removed this from the accepted-minor milestone Sep 29, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Chef Server API should not allow client-names with newline characters #124

Chef Server API should not allow client-names with newline characters #124

PrajaktaPurohit commented Mar 6, 2015

marcparadise commented Mar 6, 2015

stevendanna commented Mar 6, 2015

n4rk0o commented Oct 13, 2015

ghost commented Jan 10, 2019

biox commented Aug 23, 2021 •

edited

Loading

Chef Server API should not allow client-names with newline characters #124

Chef Server API should not allow client-names with newline characters #124

Comments

PrajaktaPurohit commented Mar 6, 2015

marcparadise commented Mar 6, 2015

stevendanna commented Mar 6, 2015

n4rk0o commented Oct 13, 2015

ghost commented Jan 10, 2019

biox commented Aug 23, 2021 • edited Loading

biox commented Aug 23, 2021 •

edited

Loading