secure kube templates against injection

app/components.js

@@ -31,6 +31,19 @@ handlebars.registerHelper('prettyJson', function(object){
   return stringify(object, null, 2);
 });
 
+// guarantees an integer number
+handlebars.registerHelper('n', function(object){
+  return ~~object
+});
+
+// escapes so that the object can go in a double quote (") string
+handlebars.registerHelper('e', function(object){
+  let s = stringify(object)
+  if (!s.startsWith('"'))
+    s = stringify(s)
+  return new Handlebars.SafeString(s.slice(1, s.length-1))
+});
+
 // Create a template from the given string
 function templatize(str) {
   return handlebars.compile(str)

templates/kube/defaultTemplate.yaml

@@ -2,21 +2,21 @@
 apiVersion: "v1"
 kind: Pod
 metadata:
-  name: "{{podName}}"
+  name: "{{e podName}}"
   labels:
-    user: "{{user}}"
-    image-type: "{{imageType}}"
-    image-subtype: "{{imageSubtype}}"
-    replacements-checksum: "{{replacementsChecksum}}"
+    user: "{{e user}}"
+    image-type: "{{e imageType}}"
+    image-subtype: "{{e imageSubtype}}"
+    replacements-checksum: "{{e replacementsChecksum}}"
 spec:
   imagePullSecrets:
   - name: garching-kube
   restartPolicy: Never
   containers:
-  - image: "{{image}}"
-    name: "{{imageType}}"
+  - image: "{{e image}}"
+    name: "{{e imageType}}"
     ports:
-    - containerPort: {{port}}
+    - containerPort: {{e port}}
       name: "main-port"
       protocol: "TCP"
     imagePullPolicy: "IfNotPresent"
@@ -30,35 +30,35 @@ spec:
     - mountPath: "/normalized"
       name: "normalized-data-volume"
       readOnly: true
-    - mountPath: "/data/private/{{user}}"
+    - mountPath: "/data/private/{{e user}}"
       name: "private-data-volume"
     - mountPath: "/data/shared"
       name: "shared-data-volume"
       readOnly: true
-    - mountPath: "/data/shared/{{user}}"
+    - mountPath: "/data/shared/{{e user}}"
       name: "my-shared-data-volume"
     readinessProbe:
       httpGet:
-        path: "{{healthPath}}"
-        port: {{port}}
-      initialDelaySeconds: {{healthDelay}}
-      periodSeconds: {{healthPeriod}}
+        path: "{{e healthPath}}"
+        port: {{n port}}
+      initialDelaySeconds: {{n healthDelay}}
+      periodSeconds: {{n healthPeriod}}
     livenessProbe:
       httpGet:
-        path: "{{livePath}}"
-        port: {{port}}
-      initialDelaySeconds: {{liveDelay}}
-      periodSeconds: {{livePeriod}}
+        path: "{{e livePath}}"
+        port: {{n port}}
+      initialDelaySeconds: {{n liveDelay}}
+      periodSeconds: {{n livePeriod}}
   volumes:
   - name: "parsed-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/parsed" }
+    hostPath: { "path": "{{e nomadRoot}}/parsed" }
   - name: "raw-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/raw-data"}
+    hostPath: { "path": "{{e nomadRoot}}/raw-data"}
   - name: "normalized-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/normalized" }
+    hostPath: { "path": "{{e nomadRoot}}/normalized" }
   - name: "private-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/user-data/private/{{user}}" }
+    hostPath: { "path": "{{e nomadRoot}}/user-data/private/{{e user}}" }
   - name: "shared-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/user-data/shared" }
+    hostPath: { "path": "{{e nomadRoot}}/user-data/shared" }
   - name: "my-shared-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/user-data/shared/{{user}}" }
+    hostPath: { "path": "{{e nomadRoot}}/user-data/shared/{{e user}}" }

templates/kube/jupyterTemplate.yaml

@@ -2,23 +2,23 @@
 apiVersion: "v1"
 kind: Pod
 metadata:
-  name: "{{podName}}"
+  name: "{{e podName}}"
   labels:
-    user: "{{user}}"
-    image-type: "{{imageType}}"
-    image-subtype: "{{imageSubtype}}"
-    replacements-checksum: "{{replacementsChecksum}}"
+    user: "{{e user}}"
+    image-type: "{{e imageType}}"
+    image-subtype: "{{e imageSubtype}}"
+    replacements-checksum: "{{e replacementsChecksum}}"
 spec:
   imagePullSecrets:
   - name: garching-kube
   restartPolicy: Never
   containers:
-  - image: "{{image}}"
-    name: "{{imageType}}"
+  - image: "{{e image}}"
+    name: "{{e imageType}}"
     command: ["start-notebook.sh"]
     args: ["--NotebookApp.token=\"\"",  "--NotebookApp.base_url=/jupyter", "--NotebookApp.allow_origin=*", "--NotebookApp.notebook_dir=/data/private/"]
     ports:
-    - containerPort: {{port}}
+    - containerPort: {{n port}}
       name: "main-port"
       protocol: "TCP"
     imagePullPolicy: "IfNotPresent"
@@ -41,26 +41,26 @@ spec:
       name: "my-shared-data-volume"
     readinessProbe:
       httpGet:
-        path: "{{healthPath}}"
-        port: {{port}}
-      initialDelaySeconds: {{healthDelay}}
-      periodSeconds: {{healthPeriod}}
+        path: "{{e healthPath}}"
+        port: {{n port}}
+      initialDelaySeconds: {{n healthDelay}}
+      periodSeconds: {{n healthPeriod}}
     livenessProbe:
       httpGet:
-        path: "{{livePath}}"
-        port: {{port}}
-      initialDelaySeconds: {{liveDelay}}
-      periodSeconds: {{livePeriod}}
+        path: "{{e livePath}}"
+        port: {{n port}}
+      initialDelaySeconds: {{n liveDelay}}
+      periodSeconds: {{n livePeriod}}
   volumes:
   - name: "parsed-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/parsed" }
+    hostPath: { "path": "{{e nomadRoot}}/parsed" }
   - name: "raw-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/raw-data"}
+    hostPath: { "path": "{{e nomadRoot}}/raw-data"}
   - name: "normalized-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/normalized" }
+    hostPath: { "path": "{{e nomadRoot}}/normalized" }
   - name: "private-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/user-data/private/{{user}}" }
+    hostPath: { "path": "{{e nomadRoot}}/user-data/private/{{e user}}" }
   - name: "shared-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/user-data/shared" }
+    hostPath: { "path": "{{e nomadRoot}}/user-data/shared" }
   - name: "my-shared-data-volume"
-    hostPath: { "path": "{{nomadRoot}}/user-data/shared/{{user}}" }
+    hostPath: { "path": "{{e nomadRoot}}/user-data/shared/{{e user}}" }

templates/kube/namespace.yaml

 kind: Namespace
 apiVersion: v1
 metadata:
-  name: {{namespace}}
+  name: "{{e namespace}}"

templates/kube/remoteVisTemplate.yaml

 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{podName}}
+  name: "{{e podName}}"
   labels:
-    user: "{{user}}"
-    image-type: "{{imageType}}"
-    image-subtype: "{{imageSubtype}}"
-    replacements-checksum: "{{replacementsChecksum}}"
+    user: "{{e user}}"
+    image-type: "{{e imageType}}"
+    image-subtype: "{{e imageSubtype}}"
+    replacements-checksum: "{{e replacementsChecksum}}"
 spec:
   terminationGracePeriodSeconds: 5
   restartPolicy: Never
@@ -17,9 +17,9 @@ spec:
     args: ["/software/scripts/startup.sh"]
     env:
     - name: USERNAME
-      value: {{user}}
+      value: "{{e user}}"
     - name: DATAPID
-      value: {{datapid}}
+      value: "{{e datapid}}"
     volumeMounts:
     - mountPath: /data/test
       name: data-test
@@ -58,10 +58,10 @@ spec:
       path: /nomad/mcompo/CO2-CaO
   - name: data-shared
     hostPath:
-      path: /nomad/nomadlab/user-data/shared/{{user}}
+      path: "/nomad/nomadlab/user-data/shared/{{e user}}"
   - name: data-private
     hostPath:
-      path: /nomad/nomadlab/user-data/private/{{user}}
+      path: "/nomad/nomadlab/user-data/private/{{e user}}"
   - name: nginx-volume
     hostPath:
       path: /etc/nginx/ssl