nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-06-03 10:50:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

backups: Mark secret strings in privileged actions

Browse Source 
Tests:

- Run affected privileged actions through UI and notice that secret strings are
not logged (except initializing init/info a new SSH repository).

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2024-08-04 11:17:09 -07:00 committed by James Valleroy
parent f22d1b31db
commit 7175a05733
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
plinth/modules/backups/privileged.py
View File

@ -8,7 +8,7 @@ import re
import subprocess
import tarfile
from plinth.actions import privileged
from plinth.actions import privileged, secret_str
from plinth.utils import Version
TIMEOUT = 30
@ -22,7 +22,7 @@ class AlreadyMountedError(Exception):
@privileged
def mount(mountpoint: str, remote_path: str, ssh_keyfile: str | None = None,
password: str | None = None,
password: secret_str | None = None,
user_known_hosts_file: str = '/dev/null'):
"""Mount a remote ssh path via sshfs."""
try:
@ -120,13 +120,14 @@ def _init_repository(path: str, encryption: str,
@privileged
def init(path: str, encryption: str, encryption_passphrase: str | None = None):
def init(path: str, encryption: str,
encryption_passphrase: secret_str | None = None):
"""Initialize the borg repository."""
_init_repository(path, encryption, encryption_passphrase)
@privileged
def info(path: str, encryption_passphrase: str | None = None) -> dict:
def info(path: str, encryption_passphrase: secret_str | None = None) -> dict:
"""Show repository information."""
process = _run(['borg', 'info', '--json', path], encryption_passphrase,
stdout=subprocess.PIPE)
@ -134,7 +135,8 @@ def info(path: str, encryption_passphrase: str | None = None) -> dict:
@privileged
def list_repo(path: str, encryption_passphrase: str | None = None) -> dict:
def list_repo(path: str,
encryption_passphrase: secret_str | None = None) -> dict:
"""List repository contents."""
process = _run(['borg', 'list', '--json', '--format="{comment}"', path],
encryption_passphrase, stdout=subprocess.PIPE)
@ -149,7 +151,7 @@ def _get_borg_version():
@privileged
def create_archive(path: str, paths: list[str], comment: str | None = None,
encryption_passphrase: str | None = None):
encryption_passphrase: secret_str | None = None):
"""Create archive."""
existing_paths = filter(os.path.exists, paths)
command = ['borg', 'create', '--json']
@ -167,7 +169,7 @@ def create_archive(path: str, paths: list[str], comment: str | None = None,
@privileged
def delete_archive(path: str, encryption_passphrase: str | None = None):
def delete_archive(path: str, encryption_passphrase: secret_str | None = None):
"""Delete archive."""
_run(['borg', 'delete', path], encryption_passphrase)
@ -197,7 +199,7 @@ def _extract(archive_path, destination, encryption_passphrase, locations=None):
@privileged
def export_tar(path: str, encryption_passphrase: str | None = None):
def export_tar(path: str, encryption_passphrase: secret_str | None = None):
"""Export archive contents as tar stream on stdout."""
_run(['borg', 'export-tar', path, '-', '--tar-filter=gzip'],
encryption_passphrase)
@ -211,8 +213,9 @@ def _read_archive_file(archive, filepath, encryption_passphrase):
@privileged
def get_archive_apps(path: str,
encryption_passphrase: str | None = None) -> list[str]:
def get_archive_apps(
path: str,
encryption_passphrase: secret_str | None = None) -> list[str]:
"""Get list of apps included in archive."""
manifest_folder = os.path.relpath(MANIFESTS_FOLDER, '/')
borg_call = [
@ -284,7 +287,7 @@ def get_exported_archive_apps(path: str) -> list[str]:
@privileged
def restore_archive(archive_path: str, destination: str,
directories: list[str], files: list[str],
encryption_passphrase: str | None = None):
encryption_passphrase: secret_str | None = None):
"""Restore files from an archive."""
locations_all = directories + files
locations_all = [