From f492992065d0aead958df7613541acb709a0c52c Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 5 May 2021 16:29:23 +0200
Subject: [PATCH] MINOR: cli: set tainted when using CLI expert/experimental
 mode

Mark the process as tainted as soon as a command command only accessible
in expert or experimental mode is executed.
---
 include/haproxy/global.h | 2 ++
 src/cli.c                | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/include/haproxy/global.h b/include/haproxy/global.h
index c69955c81b..2ff7b5d017 100644
--- a/include/haproxy/global.h
+++ b/include/haproxy/global.h
@@ -100,6 +100,8 @@ static inline unsigned long thread_mask(unsigned long mask)
 enum tainted_flags {
 	TAINTED_CONFIG_EXP_KW_DECLARED = 0x1,
 	TAINTED_ACTION_EXP_EXECUTED    = 0x2,
+	TAINTED_CLI_EXPERT_MODE        = 0x4,
+	TAINTED_CLI_EXPERIMENTAL_MODE  = 0x8,
 };
 void mark_tainted(const enum tainted_flags flag);
 unsigned int get_tainted();
diff --git a/src/cli.c b/src/cli.c
index 4d9624be35..c5009a3bcc 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -739,6 +739,11 @@ static int cli_parse_request(struct appctx *appctx)
 		return 0;
 	}
 
+	if (kw->level == ACCESS_EXPERT)
+		mark_tainted(TAINTED_CLI_EXPERT_MODE);
+	else if (kw->level == ACCESS_EXPERIMENTAL)
+		mark_tainted(TAINTED_CLI_EXPERIMENTAL_MODE);
+
 	appctx->io_handler = kw->io_handler;
 	appctx->io_release = kw->io_release;
 
-- 
2.39.5