define-fix-privilege-escalation and fix-collection-train-file-overwriting-through-soft-links

2023-11-08 15:28:59 +08:00 · 2023-11-08 15:28:59 +08:00 · bc70aaab7a
commit bc70aaab7a
parent 24929ef479
5 changed files with 176 additions and 41 deletions
--- a/0001-define-fix-privilege-escalation.patch
+++ b/0001-define-fix-privilege-escalation.patch
@ -0,0 +1,58 @@
 From 09c719964b362fa358c705a7b7e24bb02a1259bb Mon Sep 17 00:00:00 2001
 From: zhoupengcheng <zhoupengcheng11@huawei.com>
 Date: Wed, 8 Nov 2023 12:32:43 +0800
 Subject: [PATCH] 0001-define-fix-privilege-escalation.patch
 ---
 modules/client/profile/profile_define.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)
 diff --git a/modules/client/profile/profile_define.go b/modules/client/profile/profile_define.go
 index 87b3781..24e31d3 100644
 --- a/modules/client/profile/profile_define.go
 +++ b/modules/client/profile/profile_define.go
@@ -19,6 +19,7 @@ import (
 	SVC "gitee.com/openeuler/A-Tune/common/service"
 	"gitee.com/openeuler/A-Tune/common/utils"
 	"fmt"
 +	"regexp"
 	"io/ioutil"
 	"github.com/go-ini/ini"
@@ -88,11 +89,22 @@ func profileDefined(ctx *cli.Context) error {
 	if err := profileDefineCheck(ctx); err != nil {
 		return err
 	}
 +
 +
 +	detectRule := `[./].*` 
 +	detectPathchar := regexp.MustCompile(detectRule)
 +
 	serviceType := ctx.Args().Get(0)
 +	if detectPathchar.MatchString(serviceType) {
 +		return fmt.Errorf("serviceType:%s cannot contain special path characters '/' or '.' ", serviceType)
 +	}
 	if !utils.IsInputStringValid(serviceType) {
 		return fmt.Errorf("input:%s is invalid", serviceType)
 	}
 	applicationName := ctx.Args().Get(1)
 +        if detectPathchar.MatchString(applicationName) {
 +                return fmt.Errorf("applicationName:%s cannot contain special path characters '/' or '.' ", applicationName)
 +        }
 	if !utils.IsInputStringValid(applicationName) {
 		return fmt.Errorf("input:%s is invalid", applicationName)
 	}
@@ -100,7 +112,9 @@ func profileDefined(ctx *cli.Context) error {
 	if !utils.IsInputStringValid(scenarioName) {
 		return fmt.Errorf("input:%s is invalid", scenarioName)
 	}
 -
 +        if detectPathchar.MatchString(scenarioName) {
 +		return fmt.Errorf("scenarioName:%s cannot contain special path characters '/' or '.' ", scenarioName)
 +        }
 	data, err := ioutil.ReadFile(ctx.Args().Get(3))
 	if err != nil {
 		return err
 -- 
 2.33.0
--- a/0002-define-fix-privilege-escalation.patch
+++ b/0002-define-fix-privilege-escalation.patch
@ -0,0 +1,50 @@
 From 8c411e610d702daf9e7505c1500163c481f7ed69 Mon Sep 17 00:00:00 2001
 From: zhoupengcheng <zhoupengcheng11@huawei.com>
 Date: Wed, 1 Nov 2023 17:45:05 +0800
 Subject: [PATCH] 0002-define-fix-privilege-escalation.patch
 ---
 modules/server/profile/profile.go | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)
 diff --git a/modules/server/profile/profile.go b/modules/server/profile/profile.go
 index 5cdaa9a..cbf48b9 100644
 --- a/modules/server/profile/profile.go
 +++ b/modules/server/profile/profile.go
@@ -1277,8 +1277,32 @@ func (s *ProfileServer) Define(ctx context.Context, message *PB.DefineMessage) (
 	applicationName := message.GetApplicationName()
 	scenarioName := message.GetScenarioName()
 	content := string(message.GetContent())
 -	profileName := serviceType + "-" + applicationName + "-" + scenarioName
 +	detectRule := `[./].*`
 +	detectPathchar := regexp.MustCompile(detectRule)
 +
 +	if detectPathchar.MatchString(serviceType) {
 +		return &PB.Ack{}, fmt.Errorf("serviceType:%s cannot contain special path characters '/' or '.' ", serviceType)
 +	}
 +	if !utils.IsInputStringValid(serviceType) {
 +		return &PB.Ack{}, fmt.Errorf("input:%s is invalid", serviceType)
 +	}
 +
 +	if detectPathchar.MatchString(applicationName) {
 +                return &PB.Ack{}, fmt.Errorf("applicationName:%s cannot contain special path characters '/' or '.' ", applicationName)
 +        }
 +	if !utils.IsInputStringValid(applicationName) {
 +		return &PB.Ack{}, fmt.Errorf("input:%s is invalid", applicationName)
 +	}
 +
 +	if detectPathchar.MatchString(scenarioName) {
 +                return &PB.Ack{}, fmt.Errorf("scenarioName:%s cannot contain special path characters '/' or '.' ", scenarioName)
 +        }
 +	if !utils.IsInputStringValid(scenarioName) {
 +		return &PB.Ack{}, fmt.Errorf("input:%s is invalid", scenarioName)
 +	}
 +
 +	profileName := serviceType + "-" + applicationName + "-" + scenarioName
 	workloadTypeExist, err := sqlstore.ExistWorkloadType(profileName)
 	if err != nil {
 		return &PB.Ack{}, err
 -- 
 2.33.0
--- a/The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch
+++ b/The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch
@ -1,37 +0,0 @@
 From e03c6c0b6fd470e0f927c9c218aee350508e086c Mon Sep 17 00:00:00 2001
 From: tanghan <tanghan_220316@isrc.iscas.ac.cn>
 Date: Wed, 17 Aug 2022 08:48:04 +0000
 Subject: [PATCH] The primary node changes the parameter to be optimized to the value of the parameter with the suffix - 0.
 ---
 common/project/projet.go | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 diff --git a/common/project/projet.go b/common/project/projet.go
 index e10b3b2..22396dd 100644
 --- a/common/project/projet.go
 +++ b/common/project/projet.go
@@ -353,12 +353,16 @@ func (y *YamlPrjSvr) RunSet(optStr string) (error, string) {
 		}
 		newScript = strings.Replace(newScript, "$name", objName, -1)
 -		log.Info("set script:", newScript)
 -		_, err = ExecCommand(newScript)
 -		if err != nil {
 -			return fmt.Errorf("failed to exec %s, err: %v", newScript, err), ""
 +		obj_len := len(obj.Name)
 +		if obj.Name[obj_len-1:obj_len] == "0" {
 +			log.Infof("set script for %s: %s", obj.Name, newScript)
 +			_, err = ExecCommand(newScript)
 +			if err != nil {
 +				return fmt.Errorf("failed to exec %s, err: %v", newScript, err), ""
 +			}
 +		} else {
 +			scripts = append(scripts, newScript)
 		}
 -		scripts = append(scripts, newScript)
 	}
 	log.Infof("after change paraMap: %+v\n", paraMap)
 	return nil, strings.Join(scripts, ",")
 -- 
 2.33.0
--- a/atune.spec
+++ b/atune.spec
@ -3,7 +3,7 @@
 Summary: AI auto tuning system
 Name: atune
 Version: 1.0.0
-Release: 15
+Release: 16
 License: MulanPSL-2.0
 URL: https://gitee.com/openeuler/A-Tune
 Source: https://gitee.com/openeuler/A-Tune/repository/archive/v%{version}.tar.gz
@ -19,7 +19,9 @@ Patch9007: 0002-bugfix-training-model-can-only-save-file-to-specifie.patch
 Patch9008: 0003-bugfix-collection-res-can-only-save-file-to-specifie.patch
 Patch9009: 0004-atune-add-service-restart-mode.patch
 Patch9010: 0005-atune-update-Makefile-and-logs.patch
-Patch9011: The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch
+Patch9011: 0001-define-fix-privilege-escalation.patch
 Patch9012: 0002-define-fix-privilege-escalation.patch
 Patch9013: fix-collection-train-file-overwriting-through-soft-links.patch
 BuildRequires: rpm-build golang-bin procps-ng
@ -94,6 +96,8 @@ atune engine tool for manage atuned AI tuning system.
 %patch9009 -p1
 %patch9010 -p1
 %patch9011 -p1
 %patch9012 -p1
 %patch9013 -p1
 %build
 %make_build
@ -183,8 +187,11 @@ atune engine tool for manage atuned AI tuning system.
 %exclude /etc/atuned/rest_certs
 %changelog
-* Sat Oct 28 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.0.0-15
+* Wed Nov 8 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.0.0-16
- bugfix for tuning --restore (https://gitee.com/openeuler/A-Tune/issues/I6AY86)
+- fix-collection-train-file-overwriting-through-soft-links
 * Wed Nov 8 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.0.0-15
 - define-fix-privilege-escalation
 * Tue Oct 17 2023 sunchendong <sunchendong@xfusion.com> - 1.0.0-14
 - atune update Makefile and logs
--- a/fix-collection-train-file-overwriting-through-soft-links.patch
+++ b/fix-collection-train-file-overwriting-through-soft-links.patch
@ -0,0 +1,57 @@
 From c5e491e5dffab4dda814f2e1ba11c21714cac0c6 Mon Sep 17 00:00:00 2001
 From: zhoupengcheng <zhoupengcheng11@huawei.com>
 Date: Wed, 1 Nov 2023 11:14:37 +0800
 Subject: [PATCH] fix-collection-train-file-overwriting-through-soft-links.patch
 ---
 analysis/atuned/collector.py | 10 +++++++++-
 analysis/engine/train.py     |  4 +++-
 2 files changed, 12 insertions(+), 2 deletions(-)
 diff --git a/analysis/atuned/collector.py b/analysis/atuned/collector.py
 index 4749284..9a264dd 100755
 --- a/analysis/atuned/collector.py
 +++ b/analysis/atuned/collector.py
@@ -39,6 +39,15 @@ class Collector(Resource):
         args = COLLECTOR_POST_PARSER.parse_args()
         current_app.logger.info(args)
         n_pipe = get_npipe(args.get("pipe"))
 +
 +        path = args.get("file")
 +        path = os.path.abspath(path)
 +        if not path.startswith("/var/atune_data/collection/"):
 +            return "Files outside the /var/atune_data/collection/ directory cannot be modified.", 400
 +
 +        if os.path.exists(path):
 +            return "File already exists!", 400
 +
         monitors = []
         mpis = []
         field_name = []
@@ -91,7 +100,6 @@ class Collector(Resource):
         if n_pipe is not None:
             n_pipe.close()
 -        path = args.get("file")
         save_file(path, data, field_name)
         result = {}
         result["path"] = path
 diff --git a/analysis/engine/train.py b/analysis/engine/train.py
 index 7608660..462b16c 100644
 --- a/analysis/engine/train.py
 +++ b/analysis/engine/train.py
@@ -49,8 +49,10 @@ class Training(Resource):
             return "Illegal model name provide: {}".format(err), 400
         characterization = WorkloadCharacterization(model_path)
 +        output_path = TRAINING_MODEL_PATH + model_name
 +        if os.path.exists(output_path):
 +            return "File already exists!", 400
         try:
 -            output_path = TRAINING_MODEL_PATH + model_name
             characterization.retrain(data_path, output_path)
         except Exception as err:
             LOGGER.error(err)
 -- 
 2.33.0