define-fix-privilege-escalation and fix-collection-train-file-overwriting-through-soft-links

2023-11-08 15:28:59 +08:00 · 2023-11-08 15:28:59 +08:00 · bc70aaab7a
commit bc70aaab7a
parent 24929ef479
5 changed files with 176 additions and 41 deletions
--- a/0001-define-fix-privilege-escalation.patch
+++ b/0001-define-fix-privilege-escalation.patch
@ -0,0 +1,58 @@
+From 09c719964b362fa358c705a7b7e24bb02a1259bb Mon Sep 17 00:00:00 2001
+From: zhoupengcheng <zhoupengcheng11@huawei.com>
+Date: Wed, 8 Nov 2023 12:32:43 +0800
+Subject: [PATCH] 0001-define-fix-privilege-escalation.patch
+
+---
+ modules/client/profile/profile_define.go | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/modules/client/profile/profile_define.go b/modules/client/profile/profile_define.go
+index 87b3781..24e31d3 100644
+--- a/modules/client/profile/profile_define.go
+++ b/modules/client/profile/profile_define.go
+@@ -19,6 +19,7 @@ import (
+ 	SVC "gitee.com/openeuler/A-Tune/common/service"
+ 	"gitee.com/openeuler/A-Tune/common/utils"
+ 	"fmt"
+	"regexp"
+ 	"io/ioutil"
+ 
+ 	"github.com/go-ini/ini"
+@@ -88,11 +89,22 @@ func profileDefined(ctx *cli.Context) error {
+ 	if err := profileDefineCheck(ctx); err != nil {
+ 		return err
+ 	}
+
+
+	detectRule := `[./].*` 
+	detectPathchar := regexp.MustCompile(detectRule)
+
+ 	serviceType := ctx.Args().Get(0)
+	if detectPathchar.MatchString(serviceType) {
+		return fmt.Errorf("serviceType:%s cannot contain special path characters '/' or '.' ", serviceType)
+	}
+ 	if !utils.IsInputStringValid(serviceType) {
+ 		return fmt.Errorf("input:%s is invalid", serviceType)
+ 	}
+ 	applicationName := ctx.Args().Get(1)
+        if detectPathchar.MatchString(applicationName) {
+                return fmt.Errorf("applicationName:%s cannot contain special path characters '/' or '.' ", applicationName)
+        }
+ 	if !utils.IsInputStringValid(applicationName) {
+ 		return fmt.Errorf("input:%s is invalid", applicationName)
+ 	}
+@@ -100,7 +112,9 @@ func profileDefined(ctx *cli.Context) error {
+ 	if !utils.IsInputStringValid(scenarioName) {
+ 		return fmt.Errorf("input:%s is invalid", scenarioName)
+ 	}
+-
+        if detectPathchar.MatchString(scenarioName) {
+		return fmt.Errorf("scenarioName:%s cannot contain special path characters '/' or '.' ", scenarioName)
+        }
+ 	data, err := ioutil.ReadFile(ctx.Args().Get(3))
+ 	if err != nil {
+ 		return err
+-- 
+2.33.0
+
--- a/0002-define-fix-privilege-escalation.patch
+++ b/0002-define-fix-privilege-escalation.patch
@ -0,0 +1,50 @@
+From 8c411e610d702daf9e7505c1500163c481f7ed69 Mon Sep 17 00:00:00 2001
+From: zhoupengcheng <zhoupengcheng11@huawei.com>
+Date: Wed, 1 Nov 2023 17:45:05 +0800
+Subject: [PATCH] 0002-define-fix-privilege-escalation.patch
+
+---
+ modules/server/profile/profile.go | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/modules/server/profile/profile.go b/modules/server/profile/profile.go
+index 5cdaa9a..cbf48b9 100644
+--- a/modules/server/profile/profile.go
+++ b/modules/server/profile/profile.go
+@@ -1277,8 +1277,32 @@ func (s *ProfileServer) Define(ctx context.Context, message *PB.DefineMessage) (
+ 	applicationName := message.GetApplicationName()
+ 	scenarioName := message.GetScenarioName()
+ 	content := string(message.GetContent())
+-	profileName := serviceType + "-" + applicationName + "-" + scenarioName
+ 
+	detectRule := `[./].*`
+	detectPathchar := regexp.MustCompile(detectRule)
+
+	if detectPathchar.MatchString(serviceType) {
+		return &PB.Ack{}, fmt.Errorf("serviceType:%s cannot contain special path characters '/' or '.' ", serviceType)
+	}
+	if !utils.IsInputStringValid(serviceType) {
+		return &PB.Ack{}, fmt.Errorf("input:%s is invalid", serviceType)
+	}
+
+	if detectPathchar.MatchString(applicationName) {
+                return &PB.Ack{}, fmt.Errorf("applicationName:%s cannot contain special path characters '/' or '.' ", applicationName)
+        }
+	if !utils.IsInputStringValid(applicationName) {
+		return &PB.Ack{}, fmt.Errorf("input:%s is invalid", applicationName)
+	}
+
+	if detectPathchar.MatchString(scenarioName) {
+                return &PB.Ack{}, fmt.Errorf("scenarioName:%s cannot contain special path characters '/' or '.' ", scenarioName)
+        }
+	if !utils.IsInputStringValid(scenarioName) {
+		return &PB.Ack{}, fmt.Errorf("input:%s is invalid", scenarioName)
+	}
+
+	profileName := serviceType + "-" + applicationName + "-" + scenarioName
+ 	workloadTypeExist, err := sqlstore.ExistWorkloadType(profileName)
+ 	if err != nil {
+ 		return &PB.Ack{}, err
+-- 
+2.33.0
+
--- a/The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch
+++ b/The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch
@ -1,37 +0,0 @@
-From e03c6c0b6fd470e0f927c9c218aee350508e086c Mon Sep 17 00:00:00 2001
-From: tanghan <tanghan_220316@isrc.iscas.ac.cn>
-Date: Wed, 17 Aug 2022 08:48:04 +0000
-Subject: [PATCH] The primary node changes the parameter to be optimized to the value of the parameter with the suffix - 0.
---
- common/project/projet.go | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/common/project/projet.go b/common/project/projet.go
-index e10b3b2..22396dd 100644
--- a/common/project/projet.go
-+++ b/common/project/projet.go
-@@ -353,12 +353,16 @@ func (y *YamlPrjSvr) RunSet(optStr string) (error, string) {
- 		}
- 
- 		newScript = strings.Replace(newScript, "$name", objName, -1)
-		log.Info("set script:", newScript)
-		_, err = ExecCommand(newScript)
-		if err != nil {
-			return fmt.Errorf("failed to exec %s, err: %v", newScript, err), ""
-+		obj_len := len(obj.Name)
-+		if obj.Name[obj_len-1:obj_len] == "0" {
-+			log.Infof("set script for %s: %s", obj.Name, newScript)
-+			_, err = ExecCommand(newScript)
-+			if err != nil {
-+				return fmt.Errorf("failed to exec %s, err: %v", newScript, err), ""
-+			}
-+		} else {
-+			scripts = append(scripts, newScript)
- 		}
-		scripts = append(scripts, newScript)
- 	}
- 	log.Infof("after change paraMap: %+v\n", paraMap)
- 	return nil, strings.Join(scripts, ",")
-- 
-2.33.0
-
--- a/atune.spec
+++ b/atune.spec
@ -3,7 +3,7 @@
 Summary: AI auto tuning system
 Name: atune
 Version: 1.0.0
-Release: 15
+Release: 16
 License: MulanPSL-2.0
 URL: https://gitee.com/openeuler/A-Tune
 Source: https://gitee.com/openeuler/A-Tune/repository/archive/v%{version}.tar.gz
@ -19,7 +19,9 @@ Patch9007: 0002-bugfix-training-model-can-only-save-file-to-specifie.patch
 Patch9008: 0003-bugfix-collection-res-can-only-save-file-to-specifie.patch
 Patch9009: 0004-atune-add-service-restart-mode.patch
 Patch9010: 0005-atune-update-Makefile-and-logs.patch
-Patch9011: The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch
+Patch9011: 0001-define-fix-privilege-escalation.patch
+Patch9012: 0002-define-fix-privilege-escalation.patch
+Patch9013: fix-collection-train-file-overwriting-through-soft-links.patch


 BuildRequires: rpm-build golang-bin procps-ng
@ -94,6 +96,8 @@ atune engine tool for manage atuned AI tuning system.
 %patch9009 -p1
 %patch9010 -p1
 %patch9011 -p1
+%patch9012 -p1
+%patch9013 -p1

 %build
 %make_build
@ -183,8 +187,11 @@ atune engine tool for manage atuned AI tuning system.
 %exclude /etc/atuned/rest_certs

 %changelog
-* Sat Oct 28 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.0.0-15
- bugfix for tuning --restore (https://gitee.com/openeuler/A-Tune/issues/I6AY86)
+* Wed Nov 8 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.0.0-16
+- fix-collection-train-file-overwriting-through-soft-links
+
+* Wed Nov 8 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.0.0-15
+- define-fix-privilege-escalation

 * Tue Oct 17 2023 sunchendong <sunchendong@xfusion.com> - 1.0.0-14
 - atune update Makefile and logs
--- a/fix-collection-train-file-overwriting-through-soft-links.patch
+++ b/fix-collection-train-file-overwriting-through-soft-links.patch
@ -0,0 +1,57 @@
+From c5e491e5dffab4dda814f2e1ba11c21714cac0c6 Mon Sep 17 00:00:00 2001
+From: zhoupengcheng <zhoupengcheng11@huawei.com>
+Date: Wed, 1 Nov 2023 11:14:37 +0800
+Subject: [PATCH] fix-collection-train-file-overwriting-through-soft-links.patch
+
+---
+ analysis/atuned/collector.py | 10 +++++++++-
+ analysis/engine/train.py     |  4 +++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/analysis/atuned/collector.py b/analysis/atuned/collector.py
+index 4749284..9a264dd 100755
+--- a/analysis/atuned/collector.py
+++ b/analysis/atuned/collector.py
+@@ -39,6 +39,15 @@ class Collector(Resource):
+         args = COLLECTOR_POST_PARSER.parse_args()
+         current_app.logger.info(args)
+         n_pipe = get_npipe(args.get("pipe"))
+
+        path = args.get("file")
+        path = os.path.abspath(path)
+        if not path.startswith("/var/atune_data/collection/"):
+            return "Files outside the /var/atune_data/collection/ directory cannot be modified.", 400
+
+        if os.path.exists(path):
+            return "File already exists!", 400
+
+         monitors = []
+         mpis = []
+         field_name = []
+@@ -91,7 +100,6 @@ class Collector(Resource):
+         if n_pipe is not None:
+             n_pipe.close()
+ 
+-        path = args.get("file")
+         save_file(path, data, field_name)
+         result = {}
+         result["path"] = path
+diff --git a/analysis/engine/train.py b/analysis/engine/train.py
+index 7608660..462b16c 100644
+--- a/analysis/engine/train.py
+++ b/analysis/engine/train.py
+@@ -49,8 +49,10 @@ class Training(Resource):
+             return "Illegal model name provide: {}".format(err), 400
+ 
+         characterization = WorkloadCharacterization(model_path)
+        output_path = TRAINING_MODEL_PATH + model_name
+        if os.path.exists(output_path):
+            return "File already exists!", 400
+         try:
+-            output_path = TRAINING_MODEL_PATH + model_name
+             characterization.retrain(data_path, output_path)
+         except Exception as err:
+             LOGGER.error(err)
+-- 
+2.33.0
+