Skip to content

test(e2e): escape shell special characters in token generation #15307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
slonka merged 1 commit into from
Jan 7, 2026
Merged

test(e2e): escape shell special characters in token generation #15307

slonka merged 1 commit into from
Jan 7, 2026

Conversation

@lukidzi
Copy link
Contributor

@lukidzi lukidzi commented Dec 17, 2025

Motivation

This PR fixes a command injection vulnerability in the test framework's token generation methods. User-provided data (mesh names, service names, workload names, zone names, and scope values) was being embedded in shell command strings without proper escaping of single quotes.

Implementation information

Fixed four methods in test/framework/universal_controlplane.go:

  • GenerateDpToken: Escapes single quotes in mesh, service, and workload names
  • GenerateZoneIngressToken: Escapes single quotes in zone names
  • GenerateZoneEgressToken: Escapes single quotes in zone names
  • GenerateZoneToken: Escapes single quotes in zone names and scope arrays

@lukidzi
fix(test): escape shell special characters in token generation
153e319 
Properly escape single quotes in user-provided data (mesh, service,
workload, zone names) before passing to shell commands to prevent
command injection vulnerabilities.

The test framework's token generation methods now escape single quotes
using the shell-safe sequence '\'' to prevent breaking out of quoted
strings in curl commands.

Signed-off-by: Lukasz Dziedziak <[email protected]>
@lukidzi lukidzi requested a review from a team as a code owner December 17, 2025 15:10
@lukidzi lukidzi requested review from lobkovilya and slonka December 17, 2025 15:10
@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

  • Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
  • PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
  • IPv6 is taken into account (.e.g: no string concatenation of host port)
  • Tests (Unit test, E2E tests, manual test on universal and k8s)
    • Don't forget ci/ labels to run additional/fewer tests
  • Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

@lukidzi lukidzi changed the title fix(test): escape shell special characters in token generation test(e2e): escape shell special characters in token generation Dec 17, 2025
@slonka slonka merged commit 2ff74f6 into kumahq:master Jan 7, 2026
15 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slonka slonka slonka approved these changes

@lobkovilya lobkovilya Awaiting requested review from lobkovilya lobkovilya is a code owner automatically assigned from kumahq/kuma-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukidzi @slonka