Uploaded image for project: 'PBS Pro'
  1. PP-464

PBS Accounting Logs - Incorrect Escaping

    Details

    • Type: Bug
    • Status: In Progress
    • Priority: Low
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Story Points:
      1

      Description

      Customers have reported that the accounting logs had issues where malicious users can inject arbitrary values. There is a real business-case concern, because theoretically a malicious user can cheat their allocation system, and have unlimited usage of the cluster.

      The problem is described below:
      ---------------------------------------------------------------------
      Incorrect Escaping
      When writing to accounting logs handling of escaping and quote characters is, at th very least, inconsistent. In some cases the value is simply surrounded in quotes, regardless of what the value is so you can end up with a string like this:

      qsub -A 'value" malicious="evil' -I -P z00
      key="value" malicious="evil"

      In other sections there is an attempt to escape things by searching for a double quote character in the string and then using single quotes to enclose the string instead. This just leads to the issue occurring when the string contains both double and single quotes:

      key='"value"' malicious="evil" other='foo"bar"'

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                prakashcv13 Prakash Varandani
                Reporter:
                smgoosen Sam Goosen
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: