Merge pull request #381 from elvin03/main

Add fix for codeql security issue

Author: elvin03

cmd/os-image-composer/build.go

@@ -126,7 +126,9 @@ post:
 	if buildErr == nil {
 		log.Info("image build completed successfully")
 	} else {
-		log.Errorf("image build failed: %v", buildErr)
+		// Avoid logging the full error chain to prevent potential leakage of sensitive data.
+		// Log only the error type/category to aid debugging without exposing sensitive details.
+		log.Errorf("image build failed (error type: %T)", buildErr)
 	}
 
 	return buildErr

internal/config/merge.go

@@ -137,13 +137,14 @@ func MergeConfigurations(userTemplate, defaultTemplate *ImageTemplate) (*ImageTe
 	// Validate immutability configuration and fix if needed
 	validateAndFixImmutabilityConfig(&mergedTemplate)
 
-	// Debug mode: Pretty print the merged template
+	// Debug mode: Pretty print the merged template with sensitive data redacted
 	if IsDebugMode() {
-		pretty, err := json.MarshalIndent(mergedTemplate, "", "  ")
+		redactedTemplate := redactSensitiveData(&mergedTemplate)
+		pretty, err := json.MarshalIndent(redactedTemplate, "", "  ")
 		if err != nil {
 			log.Warnf("Failed to pretty print merged template: %v", err)
 		} else {
-			log.Debugf("Merged Template:\n%s", string(pretty))
+			log.Debugf("Merged Template (sensitive data redacted):\n%s", string(pretty))
 		}
 	}
 
@@ -153,6 +154,50 @@ func MergeConfigurations(userTemplate, defaultTemplate *ImageTemplate) (*ImageTe
 	return &mergedTemplate, nil
 }
 
+// redactSensitiveData creates a copy of the template with sensitive data redacted for safe logging.
+// This prevents passwords, keys, and other sensitive information from appearing in logs.
+func redactSensitiveData(template *ImageTemplate) *ImageTemplate {
+	// Create a deep copy
+	redacted := *template
+	redacted.SystemConfig = redactSensitiveSystemConfig(template.SystemConfig)
+	return &redacted
+}
+
+// redactSensitiveSystemConfig creates a copy of SystemConfig with sensitive fields redacted
+func redactSensitiveSystemConfig(config SystemConfig) SystemConfig {
+	redacted := config
+
+	// Redact user passwords and sensitive user data
+	if len(config.Users) > 0 {
+		redacted.Users = make([]UserConfig, len(config.Users))
+		for i, user := range config.Users {
+			redactedUser := user
+			// Redact password if present
+			if user.Password != "" {
+				redactedUser.Password = "[REDACTED]"
+			}
+			// Redact hash algorithm to prevent revealing password security details
+			if user.HashAlgo != "" {
+				redactedUser.HashAlgo = "[REDACTED]"
+			}
+			redacted.Users[i] = redactedUser
+		}
+	}
+
+	// Redact secure boot keys/certificates (sensitive file paths that could reveal security setup)
+	if config.Immutability.SecureBootDBKey != "" {
+		redacted.Immutability.SecureBootDBKey = "[REDACTED]"
+	}
+	if config.Immutability.SecureBootDBCrt != "" {
+		redacted.Immutability.SecureBootDBCrt = "[REDACTED]"
+	}
+	if config.Immutability.SecureBootDBCer != "" {
+		redacted.Immutability.SecureBootDBCer = "[REDACTED]"
+	}
+
+	return redacted
+}
+
 // mergeSystemConfig merges a single system configuration
 func mergeSystemConfig(defaultConfig, userConfig SystemConfig) SystemConfig {
 	merged := defaultConfig // Start with default

internal/image/imageos/imageos.go

@@ -1351,21 +1351,31 @@ func verifyUserCreated(installRoot, username string) error {
 
 	// Check if user exists in passwd file
 	passwdCmd := fmt.Sprintf("grep '^%s:' /etc/passwd", username)
-	output, err := shell.ExecCmd(passwdCmd, true, installRoot, nil)
+	// output, err := shell.ExecCmd(passwdCmd, true, installRoot, nil)
+	_, err := shell.ExecCmd(passwdCmd, true, installRoot, nil)
 	if err != nil {
-		log.Errorf("User %s not found in passwd file: %v", username, err)
-		return fmt.Errorf("user %s not found in passwd file: %w", username, err)
+		// log.Errorf("User %s not found in passwd file: %v", username, err)
+		// return fmt.Errorf("user %s not found in passwd file: %w", username, err)
+		// Do not log command output or sensitive file contents
+		log.Errorf("User %s not found in passwd file", username)
+		return fmt.Errorf("user %s not found in passwd file", username)
 	}
-	log.Debugf("User in passwd: %s", strings.TrimSpace(output))
+	// log.Debugf("User in passwd: %s", strings.TrimSpace(output))
+	// User was found in passwd; avoid logging the line content to prevent leaking sensitive data
 
 	// Check if user has password in shadow file
 	shadowCmd := fmt.Sprintf("grep '^%s:' /etc/shadow", username)
-	output, err = shell.ExecCmd(shadowCmd, true, installRoot, nil)
+	// output, err = shell.ExecCmd(shadowCmd, true, installRoot, nil)
+	_, err = shell.ExecCmd(shadowCmd, true, installRoot, nil)
 	if err != nil {
-		log.Errorf("User %s not found in shadow file: %v", username, err)
-		return fmt.Errorf("user %s not found in shadow file: %w", username, err)
+		// log.Errorf("User %s not found in shadow file: %v", username, err)
+		// return fmt.Errorf("user %s not found in shadow file: %w", username, err)
+		// Do not log command output or sensitive file contents
+		log.Errorf("User %s not found in shadow file", username)
+		return fmt.Errorf("user %s not found in shadow file", username)
 	}
-	log.Debugf("User in shadow: %s", strings.TrimSpace(output))
+	// log.Debugf("User in shadow: %s", strings.TrimSpace(output))
+	// User was found in shadow; avoid logging the line content to prevent leaking sensitive data
 
 	return nil
 }
@@ -1508,8 +1518,10 @@ func setUserPassword(installRoot string, user config.UserConfig) error {
 			// Password is already hashed, use usermod to set it directly
 			usermodCmd := fmt.Sprintf("usermod -p '%s' %s", user.Password, user.Name)
 			if _, err := shell.ExecCmd(usermodCmd, true, installRoot, nil); err != nil {
-				log.Errorf("Failed to set hashed password for user %s: %v", user.Name, err)
-				return fmt.Errorf("failed to set hashed password for user %s: %w", user.Name, err)
+				// log.Errorf("Failed to set hashed password for user %s: %v", user.Name, err)
+				// return fmt.Errorf("failed to set hashed password for user %s: %w", user.Name, err)
+				log.Errorf("Failed to set hashed password for user %s", user.Name)
+				return fmt.Errorf("failed to set hashed password for user %s", user.Name)
 			}
 		} else {
 			// Password is plaintext, need to hash it first
@@ -1520,17 +1532,21 @@ func setUserPassword(installRoot string, user config.UserConfig) error {
 
 			usermodCmd := fmt.Sprintf("usermod -p '%s' %s", hashedPassword, user.Name)
 			if _, err := shell.ExecCmd(usermodCmd, true, installRoot, nil); err != nil {
-				log.Errorf("Failed to set hashed password for user %s: %v", user.Name, err)
-				return fmt.Errorf("failed to set hashed password for user %s: %w", user.Name, err)
+				// log.Errorf("Failed to set hashed password for user %s: %v", user.Name, err)
+				// return fmt.Errorf("failed to set hashed password for user %s: %w", user.Name, err)
+				log.Errorf("Failed to set password for user %s", user.Name)
+				return fmt.Errorf("failed to set password for user %s", user.Name)
 			}
 		}
 	} else {
 		// No hash algorithm specified, use interactive passwd command (legacy behavior)
 		passwdInput := fmt.Sprintf("%s\n%s\n", user.Password, user.Password)
 		passwdCmd := fmt.Sprintf("passwd %s", user.Name)
 		if _, err := shell.ExecCmdWithInput(passwdInput, passwdCmd, true, installRoot, nil); err != nil {
-			log.Errorf("Failed to set password for user %s: %v", user.Name, err)
-			return fmt.Errorf("failed to set password for user %s: %w", user.Name, err)
+			// log.Errorf("Failed to set password for user %s: %v", user.Name, err)
+			// return fmt.Errorf("failed to set password for user %s: %w", user.Name, err)
+			log.Errorf("Failed to set password for user %s", user.Name)
+			return fmt.Errorf("failed to set password for user %s", user.Name)
 		}
 	}
 
@@ -1562,7 +1578,8 @@ func hashPassword(password, hashAlgo, installRoot string) (string, error) {
 	log.Debugf("Hashing password with algorithm %s", hashAlgo)
 	output, err := shell.ExecCmd(cmd, true, installRoot, nil)
 	if err != nil {
-		log.Errorf("Failed to hash password with algorithm %s: %v", hashAlgo, err)
+		// log.Errorf("Failed to hash password with algorithm %s: %v", hashAlgo, err)
+		log.Errorf("Failed to hash password with algorithm %s", hashAlgo)
 		return "", fmt.Errorf("failed to hash password with algorithm %s: %w", hashAlgo, err)
 	}
 
@@ -1591,7 +1608,9 @@ func configUserStartupScript(installRoot string, user config.UserConfig) error {
 	passwdFile := filepath.Join(installRoot, "etc", "passwd")
 
 	if err := file.ReplaceRegexInFile(findPattern, replacePattern, passwdFile); err != nil {
-		log.Errorf("Failed to update user %s startup command: %v", user.Name, err)
+		// log.Errorf("Failed to update user %s startup command: %v", user.Name, err)
+		// Log only high-level context to avoid leaking potentially sensitive details from the underlying error.
+		log.Errorf("Failed to update startup command for user %s", user.Name)
 		return fmt.Errorf("failed to update user %s startup command: %w", user.Name, err)
 	}
 	return nil

internal/image/imageos/imageos_test.go

@@ -1737,8 +1737,8 @@ func TestInstallImagePkgs(t *testing.T) {
 		pkgType  string
 		expected string
 	}{
-		{"RPM packages", "rpm", "rpm"},
-		{"DEB packages", "deb", "repo config file"},
+		{"RPM packages", "rpm", "RPM database"},
+		{"DEB packages", "deb", "local repo"},
 	}
 
 	for _, tt := range tests {
@@ -1758,6 +1758,11 @@ func TestInstallImagePkgs(t *testing.T) {
 				if err := os.MkdirAll(configDir, 0755); err != nil {
 					t.Fatalf("Failed to create config directory: %v", err)
 				}
+				// Create the local.list file that the method expects
+				localListPath := filepath.Join(configDir, "local.list")
+				if err := os.WriteFile(localListPath, []byte("deb file:///repo bookworm main"), 0644); err != nil {
+					t.Fatalf("Failed to create local.list file: %v", err)
+				}
 				defer os.RemoveAll("/tmp/config")
 			}
 

internal/utils/shell/shell.go

@@ -456,7 +456,9 @@ func GetFullCmdStr(cmdStr string, sudo bool, chrootPath string, envVal []string)
 
 		fullCmdStr = "sudo " + envValStr + "chroot " + chrootPath + " " + fullPathCmdStr
 		chrootDir := filepath.Base(chrootPath)
-		log.Debugf("Chroot " + chrootDir + " Exec: [" + fullPathCmdStr + "]")
+		// log.Debugf("Chroot " + chrootDir + " Exec: [" + fullPathCmdStr + "]")
+		// Avoid logging full command string to prevent leaking sensitive data.
+		log.Debugf("Chroot %s Exec: [command executed]", chrootDir)
 
 	} else {
 		if sudo {
@@ -467,10 +469,14 @@ func GetFullCmdStr(cmdStr string, sudo bool, chrootPath string, envVal []string)
 			}
 
 			fullCmdStr = "sudo " + envValStr + fullPathCmdStr
-			log.Debugf("Exec: [sudo " + fullPathCmdStr + "]")
+			// log.Debugf("Exec: [sudo " + fullPathCmdStr + "]")
+			// Avoid logging full command string to prevent leaking sensitive data.
+			log.Debugf("Exec with sudo: [command executed]")
 		} else {
 			fullCmdStr = fullPathCmdStr
-			log.Debugf("Exec: [" + fullPathCmdStr + "]")
+			// log.Debugf("Exec: [" + fullPathCmdStr + "]")
+			// Avoid logging full command string to prevent leaking sensitive data.
+			log.Debugf("Exec without sudo: [command executed]")
 		}
 	}
 
@@ -490,13 +496,19 @@ func (d *DefaultExecutor) ExecCmd(cmdStr string, sudo bool, chrootPath string, e
 
 	if err != nil {
 		if outputStr != "" {
-			return outputStr, fmt.Errorf("failed to exec %s: output %s, err %w", fullCmdStr, outputStr, err)
+			// return outputStr, fmt.Errorf("failed to exec %s: output %s, err %w", fullCmdStr, outputStr, err)
+			// Do not include the full command string in the error to avoid leaking sensitive data.
+			return outputStr, fmt.Errorf("failed to execute command with output: %w", err)
 		} else {
-			return outputStr, fmt.Errorf("failed to exec %s: %w", fullCmdStr, err)
+			// return outputStr, fmt.Errorf("failed to exec %s: %w", fullCmdStr, err)
+			// Do not include the full command string in the error to avoid leaking sensitive data.
+			return outputStr, fmt.Errorf("failed to execute command: %w", err)
 		}
 	} else {
 		if outputStr != "" {
-			log.Debugf(outputStr)
+			// log.Debugf(outputStr)
+			// Avoid logging raw command output to prevent leaking sensitive data.
+			log.Debugf("Command executed successfully with non-empty output")
 		}
 		return outputStr, nil
 	}
@@ -599,7 +611,8 @@ func (d *DefaultExecutor) ExecCmdWithInput(inputStr string, cmdStr string, sudo
 		if outputStr != "" {
 			log.Infof(outputStr)
 		}
-		return outputStr, fmt.Errorf("failed to exec %s with input %s: %w", fullCmdStr, inputStr, err)
+		// return outputStr, fmt.Errorf("failed to exec %s with input %s: %w", fullCmdStr, inputStr, err)
+		return outputStr, fmt.Errorf("failed to exec command: %w", err)
 	} else {
 		if outputStr != "" {
 			log.Debugf(outputStr)

internal/utils/shell/shell_mock.go

@@ -31,14 +31,20 @@ func getFullCmdStr(cmdStr string, sudo bool, chrootPath string, envVal []string)
 	if chrootPath != HostPath {
 		fullCmdStr = "sudo " + envValStr + "chroot " + chrootPath + " " + cmdStr
 		chrootDir := filepath.Base(chrootPath)
-		log.Debugf("MockExecutor: Chroot " + chrootDir + " Exec: [" + cmdStr + "]")
+		// log.Debugf("MockExecutor: Chroot " + chrootDir + " Exec: [" + cmdStr + "]")
+		// Avoid logging full command string to prevent leaking sensitive data such as passwords.
+		log.Debugf("MockExecutor: Chroot %s Exec", chrootDir)
 	} else {
 		if sudo {
 			fullCmdStr = "sudo " + envValStr + cmdStr
-			log.Debugf("MockExecutor: Host Exec with sudo: [" + cmdStr + "]")
+			// log.Debugf("MockExecutor: Host Exec with sudo: [" + cmdStr + "]")
+			// Avoid logging full command string to prevent leaking sensitive data such as passwords.
+			log.Debugf("MockExecutor: Host Exec with sudo")
 		} else {
 			fullCmdStr = envValStr + cmdStr
-			log.Debugf("MockExecutor: Host Exec: [" + cmdStr + "]")
+			// log.Debugf("MockExecutor: Host Exec: [" + cmdStr + "]")
+			// Avoid logging full command string to prevent leaking sensitive data such as passwords.
+			log.Debugf("MockExecutor: Host Exec without sudo")
 		}
 	}
 	return fullCmdStr, nil