fix security issue

sonic-net · Oct 29, 2024 · 4efda84 · 4efda84
1 parent e300b92
commit 4efda84
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 14 deletions.
diff --git a/health/health.go b/health/health.go
@@ -24,7 +24,8 @@ type ContainerHealthInfo struct {
 func GetHealthInfo() ([]ContainerHealthInfo, error) {
 	// Here we interact with Docker to get container stats
 	cmd := "docker stats --no-stream --format \"{{.Container}},{{.CPUPerc}},{{.MemPerc}},{{.Name}}\" | grep gnmi"
-	output, err := exec.Command("sh", "-c", cmd).Output()
+	args := strings.Fields(cmd)
+	output, err := exec.Command(args[0], args[1:]...).Output()
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve container stats: %v", err)
 	}
@@ -60,7 +61,8 @@ func GetHealthInfo() ([]ContainerHealthInfo, error) {
 func getDiskOccupation(containerID string) float64 {
 	// Run the command to get disk usage inside the container
 	cmd := fmt.Sprintf("docker exec %s df / | tail -1 | awk '{print $5}'", containerID)
-	output, err := exec.Command("sh", "-c", cmd).Output()
+	args := strings.Fields(cmd)
+	output, err := exec.Command(args[0], args[1:]...).Output()
 	if err != nil {
 		fmt.Printf("failed to retrieve disk occupation for container %s: %v\n", containerID, err)
 		return 0.0
@@ -72,7 +74,8 @@ func getDiskOccupation(containerID string) float64 {
 func getCertExpiration(containerID string) int64 {
 	// Run the command to get the certificate from the container
 	cmd := fmt.Sprintf("docker exec %s cat /path/to/cert.pem", containerID)
-	output, err := exec.Command("sh", "-c", cmd).Output()
+	args := strings.Fields(cmd)
+	output, err := exec.Command(args[0], args[1:]...).Output()
 	if err != nil {
 		fmt.Printf("failed to retrieve certificate for container %s: %v\n", containerID, err)
 		return 0

diff --git a/sonic_data_client/non_db_client.go b/sonic_data_client/non_db_client.go
@@ -42,7 +42,7 @@ type statsRing struct {
 
 type healthInfoStash struct {
 	once       sync.Once
-	healthInfo []ContainerHealthInfo
+	healthInfo []health.ContainerHealthInfo
 	err        error
 	isHealthy  bool
 }
@@ -349,30 +349,31 @@ func getBuildVersion() ([]byte, error) {
 
 func getContainerHealthStatus() ([]byte, error) {
 	// Load and parse the container health status
-	healthInfoStash.once.Do(func() {
-		healthInfoStash.healthInfo, healthInfoStash.err = GetHealthInfo()
-		if healthInfoStash.err != nil {
-			log.Errorf("Failed to gather health metrics: %v", healthInfoStash.err)
+	var stash healthInfoStash
+	stash.once.Do(func() {
+		stash.healthInfo, stash.err = health.GetHealthInfo() // Assuming GetHealthInfo() returns ([]ContainerHealthInfo, error)
+		if stash.err != nil {
+			log.V(2).Infof("Failed to gather health metrics: %v", stash.err)
 			return
 		}
 
 		// Evaluate health info
-		healthInfoStash.isHealthy = true
-		for _, container := range healthInfoStash.healthInfo {
-			LogHealthProofs(container)
+		stash.isHealthy = true
+		for _, container := range stash.healthInfo {
+			health.LogHealthProofs(container)
 			if container.CPUUtilization > 80.0 || container.MemoryUsage > 80.0 || container.DiskOccupation > 90.0 || container.CertExpiration <= 30 {
-				healthInfoStash.isHealthy = false
+				stash.isHealthy = false
 				break
 			}
 		}
 	})
 
-	b, err := json.Marshal(healthInfoStash.healthInfo)
+	b, err := json.Marshal(stash.healthInfo)
 	if err != nil {
 		log.V(2).Infof("%v", err)
 		return b, err
 	}
-	log.V(4).Infof("ReportHealthToKubeSonic, output %v", string(b))
+	log.V(4).Infof("getContainerHealthStatus, output %v", string(b))
 	return b, nil
 }