From b71592ce0e0a9f9f9f225315015ca57b312ad30d Mon Sep 17 00:00:00 2001
From: Andrew Jorgensen <ajorgens@amazon.com>
Date: Tue, 1 Nov 2016 10:54:31 -0400
Subject: EC2: Do not cache security credentials on disk

On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents
a potential vulnerability if a snapshot of the disk is taken and shared as
part of an AMI.

This skips security-credentials when walking the meta-data tree.

LP: #1638312
Reviewed-by: Ian Weller <iweller@amazon.com>
Reviewed-by: Ben Cressey <bcressey@amazon.com>
Reported-by: Kyle Barnes <barnesky@amazon.com>
---
 cloudinit/ec2_utils.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'cloudinit/ec2_utils.py')

diff --git a/cloudinit/ec2_utils.py b/cloudinit/ec2_utils.py
index c656ef14..0c16ae47 100644
--- a/cloudinit/ec2_utils.py
+++ b/cloudinit/ec2_utils.py
@@ -82,6 +82,9 @@ class MetadataMaterializer(object):
             field_name = get_name(field)
             if not field or not field_name:
                 continue
+            # Don't materialize credentials
+            if field_name == 'security-credentials':
+                continue
             if has_children(field):
                 if field_name not in children:
                     children.append(field_name)
-- 
cgit v1.2.3


From 91be1d189d9348e81a4c4f1f7d5fc255df1ce6d1 Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@brickies.net>
Date: Thu, 16 Feb 2017 21:13:38 -0500
Subject: ec2_utils: fix MetadataLeafDecoder that returned bytes on empty

the MetadataLeafDecoder would return a bytes value b'' instead of
an empty string if the value of a key was empty.  In all other cases
the value would be a string.

This was discovered when trying to json.dumps(get_instance_metadata())
on a recent OpenStack, where the value of 'public-ipv4' was empty.
The attempt to dump that with json would raise
 TypeError: b'' is not JSON serializable
---
 cloudinit/ec2_utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'cloudinit/ec2_utils.py')

diff --git a/cloudinit/ec2_utils.py b/cloudinit/ec2_utils.py
index 0c16ae47..13691549 100644
--- a/cloudinit/ec2_utils.py
+++ b/cloudinit/ec2_utils.py
@@ -28,7 +28,7 @@ class MetadataLeafDecoder(object):
 
     def __call__(self, field, blob):
         if not blob:
-            return blob
+            return ''
         try:
             blob = util.decode_binary(blob)
         except UnicodeDecodeError:
-- 
cgit v1.2.3