F-07 is informational

Description

The cloud-api-adaptor component relies on a template to format the CloudConfig.WriteFiles structure. This structure contains a collection of dynamic content
to be written as files on the Confidential VM for Kata-Agent's usage.

Golang does not offer a YAML templating library, hence developers have used the templating
engine for raw text files. Templating for raw text however does not escape data during the
template evaluation, by supplying specifically structured data an attacker could alter the
structure of the YAML document generated by the template evaluation.

It must be noted that, in the current codebase, data that could alter the YAML document
structure as a result of the template evaluation cannot be supplied: file contents are either
base64 encoded or go through a JSON unmarshall/marshall cycle that prevents a user inserting new lines (minimal required to alter the YAML document's structure).

Location:

The code for this is [here|https:/ /github.com/openshift/cloud-api-adaptor/blob/b4b4cc71bfd62e046d87b376fe3c2cc71
eb1cbcc/src/cloud-providers/util/cloudinit/cloudconfig.go#L38-L95]

Recommendations

Consider replacing the template evaluation with hardcoded structures to be unmarshalled to
YAML.