Escape and quote all passwords in ERB templates (!869) · Merge requests · GitLab.org / charts / GitLab Chart

Hossein Pursultani requested to merge 1214-quote-passwords into master Jul 15, 2019

This MR ensures that the content of all password files in ERB templates are: stripped using, escaped, and quoted.

For stripping it uses String#strip to remove heading and trailing white spaces including empty lines. In majority of cases string literals are escaped with String#dump. For URIs URI#escape is used.

To verify:

Edit a password secrets, e.g. RELEASE-postgresql-password, and set it to something like foo"\n\t bar (add extra line breaks too).
Refresh a deployment that uses the secret, e.g. RELEASE-unicorn.
Check the content of ERB template output, e.g. in /srv/gitlab/config/database.yml of dependencies container of Unicorn pods.
The password should be escaped, e.g. foo\"\\n\\tbar.

Closes #1214 (closed)

Edited Jul 16, 2019 by Hossein Pursultani

Escape and quote all passwords in ERB templates

Merge request reports