PP-464: PBS Accounting Logs - Incorrect Escaping, Proposed Design posted


#21

I am fine with the changes as long as they do not cause issues if a admin encapsulates a json string in a custom resource. If this has been tested and works as expected then I am fine with the proposed changes.


#22

@jon,

I havent started with the implementation as yet. I wanted an agreement before I proceed.

Thanks,
Prakash


#23

To summarize when escaping/quoting will take place:

  • Attributes/values created by PBS will not be modified
  • Attributes/values submitted by user will be escaped/quoted
  • Attributes that already have surrounding quotes will not have another layer of quotes added

Sounds good to me!


#24

This ticket is blocked on PP-745. Single node jobs are not sending json strings within single quotes.


#25

I have started working on this ticket and after the code changes below are the things which has been achieved so far.

JOB: qsub -A ‘value" malicious="evil’ – /bin/true

ACCOUNTING LOG:
02/06/2019 13:36:11;Q;9.localhost;queue=workq
02/06/2019 13:36:11;S;9.localhost;user=jitenr group=jitenr account=“value\” malicious=\“evil” project=_pbs_project_default jobname=STDIN queue=workq ctime=1549488971 qtime=1549488971 etime=1549488971 start=1549488971 exec_host=localhost/0 exec_vnode=(localhost:ncpus=1) Resource_List.ncpus=1 Resource_List.nodect=1 Resource_List.place=pack Resource_List.select=“1:ncpus=1” resource_assigned.ncpus=1
02/06/2019 13:36:12;E;9.localhost;user=jitenr group=jitenr account=“value\” malicious=\“evil” project=_pbs_project_default jobname=STDIN queue=workq ctime=1549488971 qtime=1549488971 etime=1549488971 start=1549488971 exec_host=localhost/0 exec_vnode=(localhost:ncpus=1) Resource_List.ncpus=1 Resource_List.nodect=1 Resource_List.place=pack Resource_List.select=“1:ncpus=1” session=34450 end=1549488972 Exit_status=0 resources_used.cpupercent=0 resources_used.cput=“00:00:00” resources_used.mem=0kb resources_used.ncpus=1 resources_used.vmem=0kb resources_used.walltime=00:00:01 run_count=1

TRACEJOB:
user=jitenr group=jitenr account=value" malicious="evil project=_pbs_project_default jobname=STDIN queue=workq ctime=1549488971 qtime=1549488971 etime=1549488971 start=1549488971
exec_host=localhost/0 exec_vnode=(localhost:ncpus=1) Resource_List.ncpus=1 Resource_List.nodect=1 Resource_List.place=pack Resource_List.select=1:ncpus=1 session=34450 end=1549488972
Exit_status=0 resources_used.cpupercent=0 resources_used.cput=00:00:00 resources_used.mem=0kb resources_used.ncpus=1 resources_used.vmem=0kb resources_used.walltime=00:00:01
run_count=1

As there were non alphanumeric characters in the job attribute so all of the quotes have been parsed and escaped before saving it to accounting log and while reading all the escapes have been removed which is visible in trace job as well.

Resource_List.select contains all the resources required for the job separated by a colon ( : ) which is a non alphanumeric character this is why its is also getting quoted in the accounting log. So I wanted to ask whether to keep Resource_List.select in quotes is a good idea ? Because anyhow any value coming into select will be parsed by PBS itself so the possibility of getting suspicious or infected string through select is very less in terms of security.

Kindly provide your suggestions over this.

Thanks,
Jitendra