Skip to content

RANGER-5631: Fix setup scripts failing on passwords containing % and \#1069

Open
arunk-kumar wants to merge 1 commit into
apache:masterfrom
arunk-kumar:RANGER-5631
Open

RANGER-5631: Fix setup scripts failing on passwords containing % and \#1069
arunk-kumar wants to merge 1 commit into
apache:masterfrom
arunk-kumar:RANGER-5631

Conversation

@arunk-kumar

Copy link
Copy Markdown

Summary

Fixes RANGER-5631. Setup and DB scripts fail on any password containing percent, backslash, backtick, single quote, or double quote.

Root cause

  1. ConfigParser treats percent as an interpolation prefix — a value like 100%pure raises InterpolationSyntaxError.
  2. get_jisql_cmd builds the command with the password wrapped in single quotes, then shlex.splits it — so a single quote in the password breaks the quoting. A denylist regex hid the real bug by rejecting the problematic characters upfront.

Fix

  • unixauthservice/scripts/setup.py: switch to ConfigParser(interpolation=None); drop the denylist (this file is Unix-only).
  • security-admin/ and kms/ dba_script.py + db_setup.py: unquote the password format specifier and wrap it with shlex.quote() at every Unix get_jisql_cmd site (MySQL, Oracle, Postgres, MSSQL, SQLAnywhere).
  • Windows retains a double-quote-only denylist. Proper cmd.exe quoting is out of scope here; happy to file a follow-up ticket.

Testing

  • Full mvn -T 8 clean verify — all 90 modules green.
  • Local Python smoke test round-trips 18 problem passwords (percent, backslash, backticks, quotes, shell-substitution attempts, arg-injection dashes) through the exact ConfigParser and shlex.quote → shlex.split → subprocess pipeline used by the patched code paths.

The db_setup and dba_script utilities failed on any password containing
the character % (ConfigParser interpolation error) or one of the
characters \ ` ' " (rejected by a denylist regex before reaching the DB).

Fixes:
  1. Switch to ConfigParser(interpolation=None) in unixauthservice/scripts/setup.py
     so % in property values is read literally.
  2. Drop the [\`'"] regex denylist on Unix; shell-quote passwords via
     shlex.quote() at every jisql call site instead. On Windows retain a
     targeted "-only denylist until a dedicated cmd.exe quoter is added.
  3. Apply shlex.quote() to every Unix get_jisql_cmd() branch across
     MySQL, Oracle, Postgres, MSSQL, and SQLAnywhere in security-admin
     and kms scripts.

Verified locally with a Python smoke test that round-trips 18 problem
passwords (including P@$s%wo\rd'"!, $(rm -rf /), backticks, spaces, and
starting-dash arg-injection attempts) through the ConfigParser and
shlex.quote -> shlex.split -> subprocess pipeline. Full mvn -T 8 clean
verify passes (all 90 modules green).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant