db/pgbackrest
1
0
Fork 0
mirror of https://github.com/pgbackrest/pgbackrest.git synced 2025-07-17 01:12:23 +02:00
Code Issues Releases Activity

Immediately error when a secure option (e.g. repo1-s3-key) is passed on the command line.

Browse Source 
Since pgBackRest would not pass secure options on to sub-processes an obscure error was thrown. The new error is much clearer and provides hints about how to fix the problem.

Update command documentation to omit secure options that cannot be specified on the command-line.

Reported by Brad Nicholson.
This commit is contained in:
David Steele
2018-03-15 12:02:09 -04:00
parent dd3ce70810
commit 8a1ce42c30
4 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/lib/BackRestDoc/Common/DocConfig.pm
View File

@ -700,6 +700,9 @@ sub helpCommandDocGet
foreach my $strOption (sort(keys(%{$$oCommandHash{&CONFIG_HELP_OPTION}})))
{
# Skip secure options that can't be defined on the command line
next if ($rhConfigDefine->{$strOption}{&CFGDEF_SECURE});
my ($oOption, $strCategory) = helpCommandDocGetOptionFind($oConfigHash, $oOptionDefine, $strCommand, $strOption);
$$oCategory{$strCategory}{$strOption} = $oOption;

8
doc/xml/release.xml
View File

@ -23,6 +23,14 @@
<p>Fix <br-option>--target-action</br-option> and <br-option>--recovery-option</br-option> options being reported as invalid when restoring with <br-option>--type=immediate</br-option>.</p>
</release-item>
<release-item>
<release-item-contributor-list>
<release-item-ideator id="nicholson.brad"/>
</release-item-contributor-list>
<p>Immediately error when a secure option (e.g. <br-option>repo1-s3-key</br-option>) is passed on the command line. Since <backrest/> would not pass secure options on to sub-processes an obscure error was thrown. The new error is much clearer and provides hints about how to fix the problem. Update command documentation to omit secure options that cannot be specified on the command-line.</p>
</release-item>
<release-item>
<release-item-contributor-list>
<release-item-ideator id="kokdemir.ibrahim.edib"/>

11
src/config/parse.c
View File

@ -430,6 +430,17 @@ configParse(unsigned int argListSize, const char *argList[])
cfgCommandName(cfgCommand()));
}
// Error if this option is secure and cannot be passed on the command line
if (parseOption->found && parseOption->source == cfgSourceParam && cfgDefOptionSecure(optionDefId))
{
THROW(
OptionInvalidError,
"option '%s' is not allowed on the command-line\n"
"HINT: this option could expose secrets in the process list.\n"
"HINT: specify the option in '%s' instead.",
cfgOptionName(optionId), cfgDefOptionDefault(commandDefId, cfgDefOptConfig));
}
// Error if this option does not allow multiple arguments
if (parseOption->valueList != NULL && strLstSize(parseOption->valueList) > 1 &&
!(cfgDefOptionType(cfgOptionDefIdFromId(optionId)) == cfgDefOptTypeHash ||

14
test/src/module/config/parseTest.c
View File

@ -127,6 +127,20 @@ testRun()
configParse(strLstSize(argList), strLstPtr(argList)), OptionRequiredError,
"backup command requires option: stanza");
// -------------------------------------------------------------------------------------------------------------------------
argList = strLstNew();
strLstAdd(argList, strNew(TEST_BACKREST_EXE));
strLstAdd(argList, strNew("--pg1-path=/path/to/db"));
strLstAdd(argList, strNew("--stanza=db"));
strLstAdd(argList, strNew("--repo1-type=s3"));
strLstAdd(argList, strNew("--repo1-s3-key=xxx"));
strLstAdd(argList, strNew(TEST_COMMAND_BACKUP));
TEST_ERROR(
configParse(strLstSize(argList), strLstPtr(argList)), OptionInvalidError,
"option 'repo1-s3-key' is not allowed on the command-line\n"
"HINT: this option could expose secrets in the process list.\n"
"HINT: specify the option in '/etc/pgbackrest.conf' instead.");
// -------------------------------------------------------------------------------------------------------------------------
argList = strLstNew();
strLstAdd(argList, strNew(TEST_BACKREST_EXE));