From bc70aaab7a5f0331bbb71ce39d46f49b57329b62 Mon Sep 17 00:00:00 2001 From: zhoupengcheng Date: Wed, 8 Nov 2023 15:28:59 +0800 Subject: [PATCH] define-fix-privilege-escalation and fix-collection-train-file-overwriting-through-soft-links --- 0001-define-fix-privilege-escalation.patch | 58 +++++++++++++++++++ 0002-define-fix-privilege-escalation.patch | 50 ++++++++++++++++ ...e-of-the-parameter-with-the-suffix-0.patch | 37 ------------ atune.spec | 15 +++-- ...-file-overwriting-through-soft-links.patch | 57 ++++++++++++++++++ 5 files changed, 176 insertions(+), 41 deletions(-) create mode 100644 0001-define-fix-privilege-escalation.patch create mode 100644 0002-define-fix-privilege-escalation.patch delete mode 100644 The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch create mode 100644 fix-collection-train-file-overwriting-through-soft-links.patch diff --git a/0001-define-fix-privilege-escalation.patch b/0001-define-fix-privilege-escalation.patch new file mode 100644 index 0000000..a971ae8 --- /dev/null +++ b/0001-define-fix-privilege-escalation.patch @@ -0,0 +1,58 @@ +From 09c719964b362fa358c705a7b7e24bb02a1259bb Mon Sep 17 00:00:00 2001 +From: zhoupengcheng +Date: Wed, 8 Nov 2023 12:32:43 +0800 +Subject: [PATCH] 0001-define-fix-privilege-escalation.patch + +--- + modules/client/profile/profile_define.go | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/modules/client/profile/profile_define.go b/modules/client/profile/profile_define.go +index 87b3781..24e31d3 100644 +--- a/modules/client/profile/profile_define.go ++++ b/modules/client/profile/profile_define.go +@@ -19,6 +19,7 @@ import ( + SVC "gitee.com/openeuler/A-Tune/common/service" + "gitee.com/openeuler/A-Tune/common/utils" + "fmt" ++ "regexp" + "io/ioutil" + + "github.com/go-ini/ini" +@@ -88,11 +89,22 @@ func profileDefined(ctx *cli.Context) error { + if err := profileDefineCheck(ctx); err != nil { + return err + } ++ ++ ++ detectRule := `[./].*` ++ detectPathchar := regexp.MustCompile(detectRule) ++ + serviceType := ctx.Args().Get(0) ++ if detectPathchar.MatchString(serviceType) { ++ return fmt.Errorf("serviceType:%s cannot contain special path characters '/' or '.' ", serviceType) ++ } + if !utils.IsInputStringValid(serviceType) { + return fmt.Errorf("input:%s is invalid", serviceType) + } + applicationName := ctx.Args().Get(1) ++ if detectPathchar.MatchString(applicationName) { ++ return fmt.Errorf("applicationName:%s cannot contain special path characters '/' or '.' ", applicationName) ++ } + if !utils.IsInputStringValid(applicationName) { + return fmt.Errorf("input:%s is invalid", applicationName) + } +@@ -100,7 +112,9 @@ func profileDefined(ctx *cli.Context) error { + if !utils.IsInputStringValid(scenarioName) { + return fmt.Errorf("input:%s is invalid", scenarioName) + } +- ++ if detectPathchar.MatchString(scenarioName) { ++ return fmt.Errorf("scenarioName:%s cannot contain special path characters '/' or '.' ", scenarioName) ++ } + data, err := ioutil.ReadFile(ctx.Args().Get(3)) + if err != nil { + return err +-- +2.33.0 + diff --git a/0002-define-fix-privilege-escalation.patch b/0002-define-fix-privilege-escalation.patch new file mode 100644 index 0000000..c7bf633 --- /dev/null +++ b/0002-define-fix-privilege-escalation.patch @@ -0,0 +1,50 @@ +From 8c411e610d702daf9e7505c1500163c481f7ed69 Mon Sep 17 00:00:00 2001 +From: zhoupengcheng +Date: Wed, 1 Nov 2023 17:45:05 +0800 +Subject: [PATCH] 0002-define-fix-privilege-escalation.patch + +--- + modules/server/profile/profile.go | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/modules/server/profile/profile.go b/modules/server/profile/profile.go +index 5cdaa9a..cbf48b9 100644 +--- a/modules/server/profile/profile.go ++++ b/modules/server/profile/profile.go +@@ -1277,8 +1277,32 @@ func (s *ProfileServer) Define(ctx context.Context, message *PB.DefineMessage) ( + applicationName := message.GetApplicationName() + scenarioName := message.GetScenarioName() + content := string(message.GetContent()) +- profileName := serviceType + "-" + applicationName + "-" + scenarioName + ++ detectRule := `[./].*` ++ detectPathchar := regexp.MustCompile(detectRule) ++ ++ if detectPathchar.MatchString(serviceType) { ++ return &PB.Ack{}, fmt.Errorf("serviceType:%s cannot contain special path characters '/' or '.' ", serviceType) ++ } ++ if !utils.IsInputStringValid(serviceType) { ++ return &PB.Ack{}, fmt.Errorf("input:%s is invalid", serviceType) ++ } ++ ++ if detectPathchar.MatchString(applicationName) { ++ return &PB.Ack{}, fmt.Errorf("applicationName:%s cannot contain special path characters '/' or '.' ", applicationName) ++ } ++ if !utils.IsInputStringValid(applicationName) { ++ return &PB.Ack{}, fmt.Errorf("input:%s is invalid", applicationName) ++ } ++ ++ if detectPathchar.MatchString(scenarioName) { ++ return &PB.Ack{}, fmt.Errorf("scenarioName:%s cannot contain special path characters '/' or '.' ", scenarioName) ++ } ++ if !utils.IsInputStringValid(scenarioName) { ++ return &PB.Ack{}, fmt.Errorf("input:%s is invalid", scenarioName) ++ } ++ ++ profileName := serviceType + "-" + applicationName + "-" + scenarioName + workloadTypeExist, err := sqlstore.ExistWorkloadType(profileName) + if err != nil { + return &PB.Ack{}, err +-- +2.33.0 + diff --git a/The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch b/The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch deleted file mode 100644 index 97cb97b..0000000 --- a/The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e03c6c0b6fd470e0f927c9c218aee350508e086c Mon Sep 17 00:00:00 2001 -From: tanghan -Date: Wed, 17 Aug 2022 08:48:04 +0000 -Subject: [PATCH] The primary node changes the parameter to be optimized to the value of the parameter with the suffix - 0. ---- - common/project/projet.go | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/common/project/projet.go b/common/project/projet.go -index e10b3b2..22396dd 100644 ---- a/common/project/projet.go -+++ b/common/project/projet.go -@@ -353,12 +353,16 @@ func (y *YamlPrjSvr) RunSet(optStr string) (error, string) { - } - - newScript = strings.Replace(newScript, "$name", objName, -1) -- log.Info("set script:", newScript) -- _, err = ExecCommand(newScript) -- if err != nil { -- return fmt.Errorf("failed to exec %s, err: %v", newScript, err), "" -+ obj_len := len(obj.Name) -+ if obj.Name[obj_len-1:obj_len] == "0" { -+ log.Infof("set script for %s: %s", obj.Name, newScript) -+ _, err = ExecCommand(newScript) -+ if err != nil { -+ return fmt.Errorf("failed to exec %s, err: %v", newScript, err), "" -+ } -+ } else { -+ scripts = append(scripts, newScript) - } -- scripts = append(scripts, newScript) - } - log.Infof("after change paraMap: %+v\n", paraMap) - return nil, strings.Join(scripts, ",") --- -2.33.0 - diff --git a/atune.spec b/atune.spec index 931b256..1aa336a 100755 --- a/atune.spec +++ b/atune.spec @@ -3,7 +3,7 @@ Summary: AI auto tuning system Name: atune Version: 1.0.0 -Release: 15 +Release: 16 License: MulanPSL-2.0 URL: https://gitee.com/openeuler/A-Tune Source: https://gitee.com/openeuler/A-Tune/repository/archive/v%{version}.tar.gz @@ -19,7 +19,9 @@ Patch9007: 0002-bugfix-training-model-can-only-save-file-to-specifie.patch Patch9008: 0003-bugfix-collection-res-can-only-save-file-to-specifie.patch Patch9009: 0004-atune-add-service-restart-mode.patch Patch9010: 0005-atune-update-Makefile-and-logs.patch -Patch9011: The-primary-node-changes-the-parameter-to-be-optimized-to-the-value-of-the-parameter-with-the-suffix-0.patch +Patch9011: 0001-define-fix-privilege-escalation.patch +Patch9012: 0002-define-fix-privilege-escalation.patch +Patch9013: fix-collection-train-file-overwriting-through-soft-links.patch BuildRequires: rpm-build golang-bin procps-ng @@ -94,6 +96,8 @@ atune engine tool for manage atuned AI tuning system. %patch9009 -p1 %patch9010 -p1 %patch9011 -p1 +%patch9012 -p1 +%patch9013 -p1 %build %make_build @@ -183,8 +187,11 @@ atune engine tool for manage atuned AI tuning system. %exclude /etc/atuned/rest_certs %changelog -* Sat Oct 28 2023 zhoupengcheng - 1.0.0-15 -- bugfix for tuning --restore (https://gitee.com/openeuler/A-Tune/issues/I6AY86) +* Wed Nov 8 2023 zhoupengcheng - 1.0.0-16 +- fix-collection-train-file-overwriting-through-soft-links + +* Wed Nov 8 2023 zhoupengcheng - 1.0.0-15 +- define-fix-privilege-escalation * Tue Oct 17 2023 sunchendong - 1.0.0-14 - atune update Makefile and logs diff --git a/fix-collection-train-file-overwriting-through-soft-links.patch b/fix-collection-train-file-overwriting-through-soft-links.patch new file mode 100644 index 0000000..c527b16 --- /dev/null +++ b/fix-collection-train-file-overwriting-through-soft-links.patch @@ -0,0 +1,57 @@ +From c5e491e5dffab4dda814f2e1ba11c21714cac0c6 Mon Sep 17 00:00:00 2001 +From: zhoupengcheng +Date: Wed, 1 Nov 2023 11:14:37 +0800 +Subject: [PATCH] fix-collection-train-file-overwriting-through-soft-links.patch + +--- + analysis/atuned/collector.py | 10 +++++++++- + analysis/engine/train.py | 4 +++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/analysis/atuned/collector.py b/analysis/atuned/collector.py +index 4749284..9a264dd 100755 +--- a/analysis/atuned/collector.py ++++ b/analysis/atuned/collector.py +@@ -39,6 +39,15 @@ class Collector(Resource): + args = COLLECTOR_POST_PARSER.parse_args() + current_app.logger.info(args) + n_pipe = get_npipe(args.get("pipe")) ++ ++ path = args.get("file") ++ path = os.path.abspath(path) ++ if not path.startswith("/var/atune_data/collection/"): ++ return "Files outside the /var/atune_data/collection/ directory cannot be modified.", 400 ++ ++ if os.path.exists(path): ++ return "File already exists!", 400 ++ + monitors = [] + mpis = [] + field_name = [] +@@ -91,7 +100,6 @@ class Collector(Resource): + if n_pipe is not None: + n_pipe.close() + +- path = args.get("file") + save_file(path, data, field_name) + result = {} + result["path"] = path +diff --git a/analysis/engine/train.py b/analysis/engine/train.py +index 7608660..462b16c 100644 +--- a/analysis/engine/train.py ++++ b/analysis/engine/train.py +@@ -49,8 +49,10 @@ class Training(Resource): + return "Illegal model name provide: {}".format(err), 400 + + characterization = WorkloadCharacterization(model_path) ++ output_path = TRAINING_MODEL_PATH + model_name ++ if os.path.exists(output_path): ++ return "File already exists!", 400 + try: +- output_path = TRAINING_MODEL_PATH + model_name + characterization.retrain(data_path, output_path) + except Exception as err: + LOGGER.error(err) +-- +2.33.0 +