diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/ChangeLog openstack-trove-18.0.0/ChangeLog --- openstack-trove-17.0.0+git2022091213.6e4dd51c/ChangeLog 2022-09-12 17:47:44.000000000 +0000 +++ openstack-trove-18.0.0/ChangeLog 2022-10-05 12:24:31.000000000 +0000 @@ -1,6 +1,11 @@ CHANGES ======= +18.0.0 +------ + +* Fix illegal shell characters +* Fix compatibility with oslo.db 12.1.0 * Rename api\_wsgi.py to app\_wsgi.py * Rename app.wsgi to app\_wsgi.py * Fix the missing of guest-agent.conf in guest vm diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/debian/changelog openstack-trove-18.0.0/debian/changelog --- openstack-trove-17.0.0+git2022091213.6e4dd51c/debian/changelog 2022-09-12 17:48:11.000000000 +0000 +++ openstack-trove-18.0.0/debian/changelog 2022-10-05 19:40:35.000000000 +0000 @@ -1,3 +1,10 @@ +openstack-trove (2:18.0.0-0ubuntu1) kinetic; urgency=medium + + * d/watch: Scope to 18.x series. + * New upstream release for OpenStack Zed. + + -- Corey Bryant Wed, 05 Oct 2022 15:40:35 -0400 + openstack-trove (2:17.0.0+git2022091213.6e4dd51c-0ubuntu1) kinetic; urgency=medium * New upstream snapshot for OpenStack Zed. diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/debian/watch openstack-trove-18.0.0/debian/watch --- openstack-trove-17.0.0+git2022091213.6e4dd51c/debian/watch 2022-09-12 17:48:11.000000000 +0000 +++ openstack-trove-18.0.0/debian/watch 2022-10-05 19:40:35.000000000 +0000 @@ -1,3 +1,3 @@ version=3 opts="uversionmangle=s/\.([a-zA-Z])/~$1/;s/%7E/~/;s/\.0b/~b/;s/\.0rc/~rc/" \ - https://tarballs.opendev.org/openstack/trove/ trove-(17\.\d.*)\.tar\.gz + https://tarballs.opendev.org/openstack/trove/ trove-(18\.\d.*)\.tar\.gz diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/PKG-INFO openstack-trove-18.0.0/PKG-INFO --- openstack-trove-17.0.0+git2022091213.6e4dd51c/PKG-INFO 2022-09-12 17:47:47.264643000 +0000 +++ openstack-trove-18.0.0/PKG-INFO 2022-10-05 12:24:32.590360200 +0000 @@ -1,11 +1,69 @@ -Metadata-Version: 2.1 +Metadata-Version: 1.2 Name: trove -Version: 17.1.0.dev66 +Version: 18.0.0 Summary: OpenStack DBaaS Home-page: https://docs.openstack.org/trove/latest/ Author: OpenStack Author-email: openstack-discuss@lists.openstack.org License: UNKNOWN +Description: ===== + Trove + ===== + + .. image:: https://governance.openstack.org/tc/badges/trove.svg + :target: https://governance.openstack.org/tc/reference/tags/index.html + + Trove is Database as a Service for OpenStack. + + Getting Started + --------------- + + If you'd like to run from the master branch, you can clone the git repo: + + git clone https://opendev.org/openstack/trove + + For information on how to contribute to trove, please see + CONTRIBUTING.rst_ and HACKING.rst_ + + .. _CONTRIBUTING.rst: https://opendev.org/openstack/trove/src/branch/master/CONTRIBUTING.rst + .. _HACKING.rst: https://opendev.org/openstack/trove/src/branch/master/HACKING.rst + + * `Wiki `_ + * `Developer Docs `_ + + You can raise bugs here: + `Bug Tracker `_ + + The plan for trove can be found at + `Trove Specs `_ + + Release notes for the project can be found at: + https://docs.openstack.org/releasenotes/trove + + Python client + ------------- + Python-troveclient_ is a client for Trove. + + .. _Python-troveclient: https://opendev.org/openstack/python-troveclient + + Dashboard plugin + ---------------- + Trove-dashboard_ is OpenStack dashbaord plugin for Trove. + + .. _Trove-dashboard: https://opendev.org/openstack/trove-dashboard + + References + ---------- + + * `Installation docs`_ + * `Manual installation docs`_ + * `Build guest image`_ + + .. _Installation docs: https://docs.openstack.org/trove/latest/install/ + .. _Manual installation docs: https://docs.openstack.org/trove/latest/install/install-manual.html + .. _Build guest image: https://docs.openstack.org/trove/latest/admin/building_guest_images.html + + Platform: UNKNOWN Classifier: Environment :: OpenStack Classifier: Intended Audience :: Information Technology @@ -17,65 +75,3 @@ Classifier: Programming Language :: Python :: 3.8 Classifier: Programming Language :: Python :: 3.9 Requires-Python: >= 3.8 -License-File: LICENSE -License-File: AUTHORS - -===== -Trove -===== - -.. image:: https://governance.openstack.org/tc/badges/trove.svg - :target: https://governance.openstack.org/tc/reference/tags/index.html - -Trove is Database as a Service for OpenStack. - -Getting Started ---------------- - -If you'd like to run from the master branch, you can clone the git repo: - - git clone https://opendev.org/openstack/trove - -For information on how to contribute to trove, please see -CONTRIBUTING.rst_ and HACKING.rst_ - -.. _CONTRIBUTING.rst: https://opendev.org/openstack/trove/src/branch/master/CONTRIBUTING.rst -.. _HACKING.rst: https://opendev.org/openstack/trove/src/branch/master/HACKING.rst - -* `Wiki `_ -* `Developer Docs `_ - -You can raise bugs here: -`Bug Tracker `_ - -The plan for trove can be found at -`Trove Specs `_ - -Release notes for the project can be found at: - https://docs.openstack.org/releasenotes/trove - -Python client -------------- -Python-troveclient_ is a client for Trove. - -.. _Python-troveclient: https://opendev.org/openstack/python-troveclient - -Dashboard plugin ----------------- -Trove-dashboard_ is OpenStack dashbaord plugin for Trove. - -.. _Trove-dashboard: https://opendev.org/openstack/trove-dashboard - -References ----------- - -* `Installation docs`_ -* `Manual installation docs`_ -* `Build guest image`_ - -.. _Installation docs: https://docs.openstack.org/trove/latest/install/ -.. _Manual installation docs: https://docs.openstack.org/trove/latest/install/install-manual.html -.. _Build guest image: https://docs.openstack.org/trove/latest/admin/building_guest_images.html - - - diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/releasenotes/notes/fix-illegal-value-be1acadc8c54c224.yaml openstack-trove-18.0.0/releasenotes/notes/fix-illegal-value-be1acadc8c54c224.yaml --- openstack-trove-17.0.0+git2022091213.6e4dd51c/releasenotes/notes/fix-illegal-value-be1acadc8c54c224.yaml 1970-01-01 00:00:00.000000000 +0000 +++ openstack-trove-18.0.0/releasenotes/notes/fix-illegal-value-be1acadc8c54c224.yaml 2022-10-05 12:23:18.000000000 +0000 @@ -0,0 +1,6 @@ +--- +fixes: + - | + check if the user input is legal, currently, trove may have a + RCE vulnerability. more details see: + `Stroy 2010004 `__ diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/releasenotes/notes/reno.cache openstack-trove-18.0.0/releasenotes/notes/reno.cache --- openstack-trove-17.0.0+git2022091213.6e4dd51c/releasenotes/notes/reno.cache 2022-09-12 17:47:47.000000000 +0000 +++ openstack-trove-18.0.0/releasenotes/notes/reno.cache 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ ---- -file-contents: - releasenotes/notes/drop-python-3-6-and-3-7-51489f1a80c2e5e5.yaml: - upgrade: - - 'Python 3.6 & 3.7 support has been dropped. The minimum version of Python now - - supported is Python 3.8. - - ' - releasenotes/notes/fix-docker-start-failed-160e79b6e5494edd.yaml: - fixes: - - 'Fix docker start failed in trove guest-agent when - - docker_insecure_registries is not set. - - ' - releasenotes/notes/fix-guest-agent-config-missing.yaml: - fixes: - - 'Fix guest-agent.conf is not generated in trove guest vm. - - `Stroy 2010231 `__' - releasenotes/notes/remove-bionic-support-85f506117e566813.yaml: - deprecations: - - The support of Bionic has been removed. - releasenotes/notes/support-backup-strategy.yaml: - features: - - The user can create backup strategy to define the configurations for creating - backups, e.g. the swift container to store the backup data. Users can also specify - the container name when creating backups which takes precedence over the backup - strategy configuration. - releasenotes/notes/support-online-resize.yaml: - features: - - Trove now supports to resize volume without downtime. To use this feature, the - version of Nova and Cinder needs to be at least Pike, the config option ``cinder_service_type`` - needs to be set to ``volumev3``. The cloud admin can disable this feature by - setting ``online_volume_resize=False``, default is enabled. - releasenotes/notes/support-subnet-and-ip-address.yaml: - features: - - Support ``subnet_id`` and ``ip_address`` for creating instance. When creating - instance, trove will check the network conflicts between user's network and - the management network, additionally, the cloud admin is able to define other - reserved networks by configuring ``reserved_network_cidrs``. -notes: -- files: - - - releasenotes/notes/drop-python-3-6-and-3-7-51489f1a80c2e5e5.yaml - - !!binary | - ZDU1NDJiMDRjNTY4OWFkYTYzN2Y5YzRjYThjNmQ4MGMyZTQ3MzRjYw== - - - releasenotes/notes/fix-docker-start-failed-160e79b6e5494edd.yaml - - !!binary | - NTRjMjU3OWEzNWJlYzUwNTQwYTcyOGQwNzcyM2NlZjNjMGZhNDY2NQ== - - - releasenotes/notes/fix-guest-agent-config-missing.yaml - - !!binary | - YzYxMmRjNjQ5NTQzNjhlN2RhYmY4YWRjNGI1NTUyODc1YzkxYjkwMg== - - - releasenotes/notes/remove-bionic-support-85f506117e566813.yaml - - !!binary | - OGVhNzZhMTQ1YTJjMzk5MjAwODhmYTQ2M2M5YzllODBkMDBlODMzOA== - - - releasenotes/notes/support-backup-strategy.yaml - - !!binary | - ZjlmM2JjYThmN2Y4NjdkZmNjNTcxNjIyNGRjNWIxMzI3MGIxNzE4MA== - - - releasenotes/notes/support-online-resize.yaml - - !!binary | - ZjlmM2JjYThmN2Y4NjdkZmNjNTcxNjIyNGRjNWIxMzI3MGIxNzE4MA== - - - releasenotes/notes/support-subnet-and-ip-address.yaml - - !!binary | - ZjlmM2JjYThmN2Y4NjdkZmNjNTcxNjIyNGRjNWIxMzI3MGIxNzE4MA== - version: 17.0.0.0rc1-39 diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/RELEASENOTES.rst openstack-trove-18.0.0/RELEASENOTES.rst --- openstack-trove-17.0.0+git2022091213.6e4dd51c/RELEASENOTES.rst 2022-09-12 17:47:47.000000000 +0000 +++ openstack-trove-18.0.0/RELEASENOTES.rst 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -===== -trove -===== - -.. _trove_17.0.0.0rc1-39: - -17.0.0.0rc1-39 -============== - -.. _trove_17.0.0.0rc1-39_New Features: - -New Features ------------- - -.. releasenotes/notes/support-backup-strategy.yaml @ b'f9f3bca8f7f867dfcc5716224dc5b13270b17180' - -- The user can create backup strategy to define the configurations for creating backups, e.g. the swift container to store the backup data. Users can also specify the container name when creating backups which takes precedence over the backup strategy configuration. - -.. releasenotes/notes/support-online-resize.yaml @ b'f9f3bca8f7f867dfcc5716224dc5b13270b17180' - -- Trove now supports to resize volume without downtime. To use this feature, the version of Nova and Cinder needs to be at least Pike, the config option ``cinder_service_type`` needs to be set to ``volumev3``. The cloud admin can disable this feature by setting ``online_volume_resize=False``, default is enabled. - -.. releasenotes/notes/support-subnet-and-ip-address.yaml @ b'f9f3bca8f7f867dfcc5716224dc5b13270b17180' - -- Support ``subnet_id`` and ``ip_address`` for creating instance. When creating instance, trove will check the network conflicts between user's network and the management network, additionally, the cloud admin is able to define other reserved networks by configuring ``reserved_network_cidrs``. - - -.. _trove_17.0.0.0rc1-39_Upgrade Notes: - -Upgrade Notes -------------- - -.. releasenotes/notes/drop-python-3-6-and-3-7-51489f1a80c2e5e5.yaml @ b'd5542b04c5689ada637f9c4ca8c6d80c2e4734cc' - -- Python 3.6 & 3.7 support has been dropped. The minimum version of Python now - supported is Python 3.8. - - -.. _trove_17.0.0.0rc1-39_Deprecation Notes: - -Deprecation Notes ------------------ - -.. releasenotes/notes/remove-bionic-support-85f506117e566813.yaml @ b'8ea76a145a2c39920088fa463c9c9e80d00e8338' - -- The support of Bionic has been removed. - - -.. _trove_17.0.0.0rc1-39_Bug Fixes: - -Bug Fixes ---------- - -.. releasenotes/notes/fix-docker-start-failed-160e79b6e5494edd.yaml @ b'54c2579a35bec50540a728d07723cef3c0fa4665' - -- Fix docker start failed in trove guest-agent when - docker_insecure_registries is not set. - -.. releasenotes/notes/fix-guest-agent-config-missing.yaml @ b'c612dc64954368e7dabf8adc4b5552875c91b902' - -- Fix guest-agent.conf is not generated in trove guest vm. - `Stroy 2010231 `__ - diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/backup/service.py openstack-trove-18.0.0/trove/backup/service.py --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/backup/service.py 2022-06-06 14:23:13.000000000 +0000 +++ openstack-trove-18.0.0/trove/backup/service.py 2022-10-05 12:23:18.000000000 +0000 @@ -88,6 +88,9 @@ swift_container = data.get('swift_container') restore_from = data.get('restore_from') + if swift_container: + utils.validate_command(swift_container) + context.notification = notification.DBaaSBackupCreate( context, request=req) diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/common/exception.py openstack-trove-18.0.0/trove/common/exception.py --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/common/exception.py 2022-06-06 14:23:13.000000000 +0000 +++ openstack-trove-18.0.0/trove/common/exception.py 2022-10-05 12:23:18.000000000 +0000 @@ -61,6 +61,10 @@ message = _("Invalid RPC Connection Reuse.") +class InvalidValue(TroveError): + message = _("The value is not allowed: %(value)s.") + + class NotFound(TroveError): message = _("Resource %(uuid)s cannot be found.") diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/common/utils.py openstack-trove-18.0.0/trove/common/utils.py --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/common/utils.py 2022-06-06 14:23:13.000000000 +0000 +++ openstack-trove-18.0.0/trove/common/utils.py 2022-10-05 12:23:18.000000000 +0000 @@ -17,6 +17,7 @@ from collections import abc import inspect import os +import shlex import shutil import uuid import urllib.parse as urlparse @@ -423,3 +424,13 @@ parts.extend([b'', safe_encode(req.body)]) return b'\r\n'.join(parts).decode(req.charset) + + +def validate_command(string): + """ + Check if the string is legal for command + + raise invalidvalue if illegal + """ + if string != shlex.quote(string): + raise exception.InvalidValue(value=string) diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/db/sqlalchemy/session.py openstack-trove-18.0.0/trove/db/sqlalchemy/session.py --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/db/sqlalchemy/session.py 2022-06-06 14:23:13.000000000 +0000 +++ openstack-trove-18.0.0/trove/db/sqlalchemy/session.py 2022-10-05 12:23:18.000000000 +0000 @@ -94,6 +94,10 @@ # use enginefacade.from_config() instead database_opts = dict(CONF.database) database_opts.pop('query_log') + # FIXME(wuchunyang): we need to remove reliance on autocommit + # semantics ASAP. since it's not compatible with + # SQLAlchemy 2.0 + database_opts['autocommit'] = True _FACADE = session.EngineFacade( options['database']['connection'], **database_opts diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/tests/unittests/common/test_utils.py openstack-trove-18.0.0/trove/tests/unittests/common/test_utils.py --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove/tests/unittests/common/test_utils.py 2022-06-06 14:23:13.000000000 +0000 +++ openstack-trove-18.0.0/trove/tests/unittests/common/test_utils.py 2022-10-05 12:23:18.000000000 +0000 @@ -186,3 +186,19 @@ expected = ('GET / HTTP/1.0\r\nHost: localhost:80\r\n' 'X-Auth-Project-Id: \u6d4b\u8bd5') self.assertEqual(expected, utils.req_to_text(req)) + + def test_validate_command(self): + string1 = "hello_world" + string2 = "hello world" + string3 = "hello@world_123" + string4 = "example.com/databse/mysql:5.7" + string5 = 'test --db-user="$(touch /rce_successful.txt)"' + self.assertIsNone(utils.validate_command(string1)) + self.assertRaises(exception.InvalidValue, + utils.validate_command, + string2) + self.assertIsNone(utils.validate_command(string3)) + self.assertIsNone(utils.validate_command(string4)) + self.assertRaises(exception.InvalidValue, + utils.validate_command, + string5) diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove.egg-info/pbr.json openstack-trove-18.0.0/trove.egg-info/pbr.json --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove.egg-info/pbr.json 2022-09-12 17:47:45.000000000 +0000 +++ openstack-trove-18.0.0/trove.egg-info/pbr.json 2022-10-05 12:24:32.000000000 +0000 @@ -1 +1 @@ -{"git_version": "6e4dd51c", "is_release": false} \ No newline at end of file +{"git_version": "0ec4d048", "is_release": true} \ No newline at end of file diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove.egg-info/PKG-INFO openstack-trove-18.0.0/trove.egg-info/PKG-INFO --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove.egg-info/PKG-INFO 2022-09-12 17:47:45.000000000 +0000 +++ openstack-trove-18.0.0/trove.egg-info/PKG-INFO 2022-10-05 12:24:32.000000000 +0000 @@ -1,11 +1,69 @@ -Metadata-Version: 2.1 +Metadata-Version: 1.2 Name: trove -Version: 17.1.0.dev66 +Version: 18.0.0 Summary: OpenStack DBaaS Home-page: https://docs.openstack.org/trove/latest/ Author: OpenStack Author-email: openstack-discuss@lists.openstack.org License: UNKNOWN +Description: ===== + Trove + ===== + + .. image:: https://governance.openstack.org/tc/badges/trove.svg + :target: https://governance.openstack.org/tc/reference/tags/index.html + + Trove is Database as a Service for OpenStack. + + Getting Started + --------------- + + If you'd like to run from the master branch, you can clone the git repo: + + git clone https://opendev.org/openstack/trove + + For information on how to contribute to trove, please see + CONTRIBUTING.rst_ and HACKING.rst_ + + .. _CONTRIBUTING.rst: https://opendev.org/openstack/trove/src/branch/master/CONTRIBUTING.rst + .. _HACKING.rst: https://opendev.org/openstack/trove/src/branch/master/HACKING.rst + + * `Wiki `_ + * `Developer Docs `_ + + You can raise bugs here: + `Bug Tracker `_ + + The plan for trove can be found at + `Trove Specs `_ + + Release notes for the project can be found at: + https://docs.openstack.org/releasenotes/trove + + Python client + ------------- + Python-troveclient_ is a client for Trove. + + .. _Python-troveclient: https://opendev.org/openstack/python-troveclient + + Dashboard plugin + ---------------- + Trove-dashboard_ is OpenStack dashbaord plugin for Trove. + + .. _Trove-dashboard: https://opendev.org/openstack/trove-dashboard + + References + ---------- + + * `Installation docs`_ + * `Manual installation docs`_ + * `Build guest image`_ + + .. _Installation docs: https://docs.openstack.org/trove/latest/install/ + .. _Manual installation docs: https://docs.openstack.org/trove/latest/install/install-manual.html + .. _Build guest image: https://docs.openstack.org/trove/latest/admin/building_guest_images.html + + Platform: UNKNOWN Classifier: Environment :: OpenStack Classifier: Intended Audience :: Information Technology @@ -17,65 +75,3 @@ Classifier: Programming Language :: Python :: 3.8 Classifier: Programming Language :: Python :: 3.9 Requires-Python: >= 3.8 -License-File: LICENSE -License-File: AUTHORS - -===== -Trove -===== - -.. image:: https://governance.openstack.org/tc/badges/trove.svg - :target: https://governance.openstack.org/tc/reference/tags/index.html - -Trove is Database as a Service for OpenStack. - -Getting Started ---------------- - -If you'd like to run from the master branch, you can clone the git repo: - - git clone https://opendev.org/openstack/trove - -For information on how to contribute to trove, please see -CONTRIBUTING.rst_ and HACKING.rst_ - -.. _CONTRIBUTING.rst: https://opendev.org/openstack/trove/src/branch/master/CONTRIBUTING.rst -.. _HACKING.rst: https://opendev.org/openstack/trove/src/branch/master/HACKING.rst - -* `Wiki `_ -* `Developer Docs `_ - -You can raise bugs here: -`Bug Tracker `_ - -The plan for trove can be found at -`Trove Specs `_ - -Release notes for the project can be found at: - https://docs.openstack.org/releasenotes/trove - -Python client -------------- -Python-troveclient_ is a client for Trove. - -.. _Python-troveclient: https://opendev.org/openstack/python-troveclient - -Dashboard plugin ----------------- -Trove-dashboard_ is OpenStack dashbaord plugin for Trove. - -.. _Trove-dashboard: https://opendev.org/openstack/trove-dashboard - -References ----------- - -* `Installation docs`_ -* `Manual installation docs`_ -* `Build guest image`_ - -.. _Installation docs: https://docs.openstack.org/trove/latest/install/ -.. _Manual installation docs: https://docs.openstack.org/trove/latest/install/install-manual.html -.. _Build guest image: https://docs.openstack.org/trove/latest/admin/building_guest_images.html - - - diff -Nru openstack-trove-17.0.0+git2022091213.6e4dd51c/trove.egg-info/SOURCES.txt openstack-trove-18.0.0/trove.egg-info/SOURCES.txt --- openstack-trove-17.0.0+git2022091213.6e4dd51c/trove.egg-info/SOURCES.txt 2022-09-12 17:47:45.000000000 +0000 +++ openstack-trove-18.0.0/trove.egg-info/SOURCES.txt 2022-10-05 12:24:32.000000000 +0000 @@ -370,6 +370,7 @@ releasenotes/notes/fix-galera_common-cluster-shrink-e2c80913423772dd.yaml releasenotes/notes/fix-gtid-parsing-9f60ad6e9e8f173f.yaml releasenotes/notes/fix-guest-agent-config-missing.yaml +releasenotes/notes/fix-illegal-value-be1acadc8c54c224.yaml releasenotes/notes/fix-module-apply-after-remove-97c84c30fb320a46.yaml releasenotes/notes/fix-mongo-cluster-grow-8fa4788af0ce5309.yaml releasenotes/notes/fix-mysql-replication-bf2b131994a5a772.yaml