sneethiraj commented on code in PR #903:
URL: https://github.com/apache/ranger/pull/903#discussion_r3023478030
##########
ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java:
##########
@@ -330,6 +340,13 @@ private void buildUnixUserList(String command) throws
Throwable {
continue;
}
+ if (validateUserName) {
+ if (!isValidUserName(userName)) {
+ LOG.warn("Ignoring Unix Username: [{}]: failed to
confirm to validation-pattern: [{}]", userName, regExUserNameValidator);
Review Comment:
@vyommani - Thanks for the above fix. That takes care of the core issue on
those executions. Even with the above fix, the calls like one below exists and
the command was formed by groupId and/or groupName that are read from different
source / unvalidated.
`String[] cmd = new String[] {"bash", "-c", command };`
Shouldn't we need to validate before it is executed directly?
On a different note, have you looked at the above REGEX that supports
unicode based characters in username/groups? Do you have any other alternative
options to address this issue?
If the customer do not want to validate, they can disable the validation via
configuration or set the regEx that suites their needs.
What do you think ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
