microsoft
diff --git a/‎SPECS/rook/CVE-2022-3162.patch‎
Lines changed: 382 additions & 0 deletions b/‎SPECS/rook/CVE-2022-3162.patch‎
Lines changed: 382 additions & 0 deletions
@@ -0,0 +1,382 @@
+From e7b77750506ad3c40a47d554c61e8b04923f1094 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Fri, 28 Feb 2025 14:26:41 -0800
+Subject: [PATCH] [Medium] Patch rook for CVE-2022-3162
+
+Link: https://github.com/kubernetes/kubernetes/pull/113687/commits/54269f2b186ea2a37bb4e9a22e797fdc6ebdcb37.patch
+---
+ .../apiserver/pkg/storage/etcd3/store.go      | 146 ++++++++++++------
+ 1 file changed, 100 insertions(+), 46 deletions(-)
+
+diff --git a/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go b/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go
+index 0cff6b3..f725465 100644
+--- a/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go
++++ b/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go
+@@ -89,18 +89,23 @@ func New(c *clientv3.Client, codec runtime.Codec, newFunc func() runtime.Object,
+ 
+ func newStore(c *clientv3.Client, newFunc func() runtime.Object, pagingEnabled bool, codec runtime.Codec, prefix string, transformer value.Transformer) *store {
+ 	versioner := APIObjectVersioner{}
++	// for compatibility with etcd2 impl.
++	// no-op for default prefix of '/registry'.
++	// keeps compatibility with etcd2 impl for custom prefixes that don't start with '/'
++	pathPrefix := path.Join("/", prefix)
++	if !strings.HasSuffix(pathPrefix, "/") {
++		// Ensure the pathPrefix ends in "/" here to simplify key concatenation later.
++		pathPrefix += "/"
++	}
+ 	result := &store{
+ 		client:        c,
+ 		codec:         codec,
+ 		versioner:     versioner,
+ 		transformer:   transformer,
+ 		pagingEnabled: pagingEnabled,
+-		// for compatibility with etcd2 impl.
+-		// no-op for default prefix of '/registry'.
+-		// keeps compatibility with etcd2 impl for custom prefixes that don't start with '/'
+-		pathPrefix:   path.Join("/", prefix),
+-		watcher:      newWatcher(c, codec, newFunc, versioner, transformer),
+-		leaseManager: newDefaultLeaseManager(c),
++		pathPrefix:    pathPrefix,
++		watcher:       newWatcher(c, codec, newFunc, versioner, transformer),
++		leaseManager:  newDefaultLeaseManager(c),
+ 	}
+ 	return result
+ }
+@@ -112,9 +117,12 @@ func (s *store) Versioner() storage.Versioner {
+ 
+ // Get implements storage.Interface.Get.
+ func (s *store) Get(ctx context.Context, key string, opts storage.GetOptions, out runtime.Object) error {
+-	key = path.Join(s.pathPrefix, key)
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return err
++	}
+ 	startTime := time.Now()
+-	getResp, err := s.client.KV.Get(ctx, key)
++	getResp, err := s.client.KV.Get(ctx, preparedKey)
+ 	metrics.RecordEtcdRequestLatency("get", getTypeName(out), startTime)
+ 	if err != nil {
+ 		return err
+@@ -127,11 +135,11 @@ func (s *store) Get(ctx context.Context, key string, opts storage.GetOptions, ou
+ 		if opts.IgnoreNotFound {
+ 			return runtime.SetZeroValue(out)
+ 		}
+-		return storage.NewKeyNotFoundError(key, 0)
++		return storage.NewKeyNotFoundError(preparedKey, 0)
+ 	}
+ 	kv := getResp.Kvs[0]
+ 
+-	data, _, err := s.transformer.TransformFromStorage(kv.Value, authenticatedDataString(key))
++	data, _, err := s.transformer.TransformFromStorage(kv.Value, authenticatedDataString(preparedKey))
+ 	if err != nil {
+ 		return storage.NewInternalError(err.Error())
+ 	}
+@@ -141,6 +149,11 @@ func (s *store) Get(ctx context.Context, key string, opts storage.GetOptions, ou
+ 
+ // Create implements storage.Interface.Create.
+ func (s *store) Create(ctx context.Context, key string, obj, out runtime.Object, ttl uint64) error {
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return err
++	}
++
+ 	if version, err := s.versioner.ObjectResourceVersion(obj); err == nil && version != 0 {
+ 		return errors.New("resourceVersion should not be set on objects to be created")
+ 	}
+@@ -151,30 +164,29 @@ func (s *store) Create(ctx context.Context, key string, obj, out runtime.Object,
+ 	if err != nil {
+ 		return err
+ 	}
+-	key = path.Join(s.pathPrefix, key)
+ 
+ 	opts, err := s.ttlOpts(ctx, int64(ttl))
+ 	if err != nil {
+ 		return err
+ 	}
+ 
+-	newData, err := s.transformer.TransformToStorage(data, authenticatedDataString(key))
++	newData, err := s.transformer.TransformToStorage(data, authenticatedDataString(preparedKey))
+ 	if err != nil {
+ 		return storage.NewInternalError(err.Error())
+ 	}
+ 
+ 	startTime := time.Now()
+ 	txnResp, err := s.client.KV.Txn(ctx).If(
+-		notFound(key),
++		notFound(preparedKey),
+ 	).Then(
+-		clientv3.OpPut(key, string(newData), opts...),
++		clientv3.OpPut(preparedKey, string(newData), opts...),
+ 	).Commit()
+ 	metrics.RecordEtcdRequestLatency("create", getTypeName(obj), startTime)
+ 	if err != nil {
+ 		return err
+ 	}
+ 	if !txnResp.Succeeded {
+-		return storage.NewKeyExistsError(key, 0)
++		return storage.NewKeyExistsError(preparedKey, 0)
+ 	}
+ 
+ 	if out != nil {
+@@ -186,12 +198,15 @@ func (s *store) Create(ctx context.Context, key string, obj, out runtime.Object,
+ 
+ // Delete implements storage.Interface.Delete.
+ func (s *store) Delete(ctx context.Context, key string, out runtime.Object, preconditions *storage.Preconditions, validateDeletion storage.ValidateObjectFunc) error {
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return err
++	}
+ 	v, err := conversion.EnforcePtr(out)
+ 	if err != nil {
+ 		return fmt.Errorf("unable to convert output object to pointer: %v", err)
+ 	}
+-	key = path.Join(s.pathPrefix, key)
+-	return s.conditionalDelete(ctx, key, out, v, preconditions, validateDeletion)
++	return s.conditionalDelete(ctx, preparedKey, out, v, preconditions, validateDeletion)
+ }
+ 
+ func (s *store) conditionalDelete(ctx context.Context, key string, out runtime.Object, v reflect.Value, preconditions *storage.Preconditions, validateDeletion storage.ValidateObjectFunc) error {
+@@ -239,6 +254,10 @@ func (s *store) conditionalDelete(ctx context.Context, key string, out runtime.O
+ func (s *store) GuaranteedUpdate(
+ 	ctx context.Context, key string, out runtime.Object, ignoreNotFound bool,
+ 	preconditions *storage.Preconditions, tryUpdate storage.UpdateFunc, suggestion runtime.Object) error {
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return err
++	}
+ 	trace := utiltrace.New("GuaranteedUpdate etcd3", utiltrace.Field{"type", getTypeName(out)})
+ 	defer trace.LogIfLong(500 * time.Millisecond)
+ 
+@@ -246,16 +265,15 @@ func (s *store) GuaranteedUpdate(
+ 	if err != nil {
+ 		return fmt.Errorf("unable to convert output object to pointer: %v", err)
+ 	}
+-	key = path.Join(s.pathPrefix, key)
+ 
+ 	getCurrentState := func() (*objState, error) {
+ 		startTime := time.Now()
+-		getResp, err := s.client.KV.Get(ctx, key)
++		getResp, err := s.client.KV.Get(ctx, preparedKey)
+ 		metrics.RecordEtcdRequestLatency("get", getTypeName(out), startTime)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+-		return s.getState(getResp, key, v, ignoreNotFound)
++		return s.getState(getResp, preparedKey, v, ignoreNotFound)
+ 	}
+ 
+ 	var origState *objState
+@@ -274,9 +292,9 @@ func (s *store) GuaranteedUpdate(
+ 	}
+ 	trace.Step("initial value restored")
+ 
+-	transformContext := authenticatedDataString(key)
++	transformContext := authenticatedDataString(preparedKey)
+ 	for {
+-		if err := preconditions.Check(key, origState.obj); err != nil {
++		if err := preconditions.Check(preparedKey, origState.obj); err != nil {
+ 			// If our data is already up to date, return the error
+ 			if !mustCheckData {
+ 				return err
+@@ -349,11 +367,11 @@ func (s *store) GuaranteedUpdate(
+ 
+ 		startTime := time.Now()
+ 		txnResp, err := s.client.KV.Txn(ctx).If(
+-			clientv3.Compare(clientv3.ModRevision(key), "=", origState.rev),
++			clientv3.Compare(clientv3.ModRevision(preparedKey), "=", origState.rev),
+ 		).Then(
+-			clientv3.OpPut(key, string(newData), opts...),
++			clientv3.OpPut(preparedKey, string(newData), opts...),
+ 		).Else(
+-			clientv3.OpGet(key),
++			clientv3.OpGet(preparedKey),
+ 		).Commit()
+ 		metrics.RecordEtcdRequestLatency("update", getTypeName(out), startTime)
+ 		if err != nil {
+@@ -362,8 +380,8 @@ func (s *store) GuaranteedUpdate(
+ 		trace.Step("Transaction committed")
+ 		if !txnResp.Succeeded {
+ 			getResp := (*clientv3.GetResponse)(txnResp.Responses[0].GetResponseRange())
+-			klog.V(4).Infof("GuaranteedUpdate of %s failed because of a conflict, going to retry", key)
+-			origState, err = s.getState(getResp, key, v, ignoreNotFound)
++			klog.V(4).Infof("GuaranteedUpdate of %s failed because of a conflict, going to retry", preparedKey)
++			origState, err = s.getState(getResp, preparedKey, v, ignoreNotFound)
+ 			if err != nil {
+ 				return err
+ 			}
+@@ -379,6 +397,11 @@ func (s *store) GuaranteedUpdate(
+ 
+ // GetToList implements storage.Interface.GetToList.
+ func (s *store) GetToList(ctx context.Context, key string, listOpts storage.ListOptions, listObj runtime.Object) error {
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return err
++	}
++
+ 	resourceVersion := listOpts.ResourceVersion
+ 	match := listOpts.ResourceVersionMatch
+ 	pred := listOpts.Predicate
+@@ -400,7 +423,6 @@ func (s *store) GetToList(ctx context.Context, key string, listOpts storage.List
+ 
+ 	newItemFunc := getNewItemFunc(listObj, v)
+ 
+-	key = path.Join(s.pathPrefix, key)
+ 	startTime := time.Now()
+ 	var opts []clientv3.OpOption
+ 	if len(resourceVersion) > 0 && match == metav1.ResourceVersionMatchExact {
+@@ -411,7 +433,7 @@ func (s *store) GetToList(ctx context.Context, key string, listOpts storage.List
+ 		opts = append(opts, clientv3.WithRev(int64(rv)))
+ 	}
+ 
+-	getResp, err := s.client.KV.Get(ctx, key, opts...)
++	getResp, err := s.client.KV.Get(ctx, preparedKey, opts...)
+ 	metrics.RecordEtcdRequestLatency("get", getTypeName(listPtr), startTime)
+ 	if err != nil {
+ 		return err
+@@ -421,7 +443,7 @@ func (s *store) GetToList(ctx context.Context, key string, listOpts storage.List
+ 	}
+ 
+ 	if len(getResp.Kvs) > 0 {
+-		data, _, err := s.transformer.TransformFromStorage(getResp.Kvs[0].Value, authenticatedDataString(key))
++		data, _, err := s.transformer.TransformFromStorage(getResp.Kvs[0].Value, authenticatedDataString(preparedKey))
+ 		if err != nil {
+ 			return storage.NewInternalError(err.Error())
+ 		}
+@@ -451,18 +473,21 @@ func getNewItemFunc(listObj runtime.Object, v reflect.Value) func() runtime.Obje
+ }
+ 
+ func (s *store) Count(key string) (int64, error) {
+-	key = path.Join(s.pathPrefix, key)
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return 0, err
++	}
+ 
+ 	// We need to make sure the key ended with "/" so that we only get children "directories".
+ 	// e.g. if we have key "/a", "/a/b", "/ab", getting keys with prefix "/a" will return all three,
+ 	// while with prefix "/a/" will return only "/a/b" which is the correct answer.
+-	if !strings.HasSuffix(key, "/") {
+-		key += "/"
++	if !strings.HasSuffix(preparedKey, "/") {
++		preparedKey += "/"
+ 	}
+ 
+ 	startTime := time.Now()
+-	getResp, err := s.client.KV.Get(context.Background(), key, clientv3.WithRange(clientv3.GetPrefixRangeEnd(key)), clientv3.WithCountOnly())
+-	metrics.RecordEtcdRequestLatency("listWithCount", key, startTime)
++	getResp, err := s.client.KV.Get(context.Background(), preparedKey, clientv3.WithRange(clientv3.GetPrefixRangeEnd(preparedKey)), clientv3.WithCountOnly())
++	metrics.RecordEtcdRequestLatency("listWithCount", preparedKey, startTime)
+ 	if err != nil {
+ 		return 0, err
+ 	}
+@@ -531,6 +556,11 @@ func encodeContinue(key, keyPrefix string, resourceVersion int64) (string, error
+ 
+ // List implements storage.Interface.List.
+ func (s *store) List(ctx context.Context, key string, opts storage.ListOptions, listObj runtime.Object) error {
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return err
++	}
++
+ 	resourceVersion := opts.ResourceVersion
+ 	match := opts.ResourceVersionMatch
+ 	pred := opts.Predicate
+@@ -550,16 +580,13 @@ func (s *store) List(ctx context.Context, key string, opts storage.ListOptions,
+ 		return fmt.Errorf("need ptr to slice: %v", err)
+ 	}
+ 
+-	if s.pathPrefix != "" {
+-		key = path.Join(s.pathPrefix, key)
+-	}
+ 	// We need to make sure the key ended with "/" so that we only get children "directories".
+ 	// e.g. if we have key "/a", "/a/b", "/ab", getting keys with prefix "/a" will return all three,
+ 	// while with prefix "/a/" will return only "/a/b" which is the correct answer.
+-	if !strings.HasSuffix(key, "/") {
+-		key += "/"
++	if !strings.HasSuffix(preparedKey, "/") {
++		preparedKey += "/"
+ 	}
+-	keyPrefix := key
++	keyPrefix := preparedKey
+ 
+ 	// set the appropriate clientv3 options to filter the returned data set
+ 	var paging bool
+@@ -595,7 +622,7 @@ func (s *store) List(ctx context.Context, key string, opts storage.ListOptions,
+ 
+ 		rangeEnd := clientv3.GetPrefixRangeEnd(keyPrefix)
+ 		options = append(options, clientv3.WithRange(rangeEnd))
+-		key = continueKey
++		preparedKey = continueKey
+ 
+ 		// If continueRV > 0, the LIST request needs a specific resource version.
+ 		// continueRV==0 is invalid.
+@@ -652,7 +679,7 @@ func (s *store) List(ctx context.Context, key string, opts storage.ListOptions,
+ 	var getResp *clientv3.GetResponse
+ 	for {
+ 		startTime := time.Now()
+-		getResp, err = s.client.KV.Get(ctx, key, options...)
++		getResp, err = s.client.KV.Get(ctx, preparedKey, options...)
+ 		metrics.RecordEtcdRequestLatency("list", getTypeName(listPtr), startTime)
+ 		if err != nil {
+ 			return interpretListError(err, len(pred.Continue) > 0, continueKey, keyPrefix)
+@@ -705,7 +732,7 @@ func (s *store) List(ctx context.Context, key string, opts storage.ListOptions,
+ 		if int64(v.Len()) >= pred.Limit {
+ 			break
+ 		}
+-		key = string(lastKey) + "\x00"
++		preparedKey = string(lastKey) + "\x00"
+ 		if withRev == 0 {
+ 			withRev = returnedRV
+ 			options = append(options, clientv3.WithRev(withRev))
+@@ -779,12 +806,15 @@ func (s *store) WatchList(ctx context.Context, key string, opts storage.ListOpti
+ }
+ 
+ func (s *store) watch(ctx context.Context, key string, opts storage.ListOptions, recursive bool) (watch.Interface, error) {
++	preparedKey, err := s.prepareKey(key)
++	if err != nil {
++		return nil, err
++	}
+ 	rev, err := s.versioner.ParseResourceVersion(opts.ResourceVersion)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+-	key = path.Join(s.pathPrefix, key)
+-	return s.watcher.Watch(ctx, key, int64(rev), recursive, opts.ProgressNotify, opts.Predicate)
++	return s.watcher.Watch(ctx, preparedKey, int64(rev), recursive, opts.ProgressNotify, opts.Predicate)
+ }
+ 
+ func (s *store) getState(getResp *clientv3.GetResponse, key string, v reflect.Value, ignoreNotFound bool) (*objState, error) {
+@@ -896,6 +926,30 @@ func (s *store) validateMinimumResourceVersion(minimumResourceVersion string, ac
+ 	return nil
+ }
+ 
++func (s *store) prepareKey(key string) (string, error) {
++	if key == ".." ||
++		strings.HasPrefix(key, "../") ||
++		strings.HasSuffix(key, "/..") ||
++		strings.Contains(key, "/../") {
++		return "", fmt.Errorf("invalid key: %q", key)
++	}
++	if key == "." ||
++		strings.HasPrefix(key, "./") ||
++		strings.HasSuffix(key, "/.") ||
++		strings.Contains(key, "/./") {
++		return "", fmt.Errorf("invalid key: %q", key)
++	}
++	if key == "" || key == "/" {
++		return "", fmt.Errorf("empty key: %q", key)
++	}
++	// We ensured that pathPrefix ends in '/' in construction, so skip any leading '/' in the key now.
++	startIndex := 0
++	if key[0] == '/' {
++		startIndex = 1
++	}
++	return s.pathPrefix + key[startIndex:], nil
++}
++
+ // decode decodes value of bytes into object. It will also set the object resource version to rev.
+ // On success, objPtr would be set to the object.
+ func decode(codec runtime.Codec, versioner storage.Versioner, value []byte, objPtr runtime.Object, rev int64) error {
+-- 
+2.34.1
+