Projects
openEuler:20.03:LTS:SP3
ansible
_service:tar_scm_kernel_repo:CVE-2020-10684.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:CVE-2020-10684.patch of Package ansible
From e26374d30ced2585e6f10a2488a54ad23a115f8b Mon Sep 17 00:00:00 2001 From: Brian Coca <brian.coca+git@gmail.com> Date: Wed, 18 Mar 2020 11:11:52 -0400 Subject: [PATCH] prevent ansible_facts injection - also only replace when needed - switched from replace to index - added test to verify bogus_facts are not accepted --- changelogs/fragments/af_clean.yml | 2 ++ lib/ansible/constants.py | 2 +- lib/ansible/vars/clean.py | 7 +++---- .../targets/gathering_facts/library/bogus_facts | 12 ++++++++++++ test/integration/targets/gathering_facts/runme.sh | 3 +++ .../gathering_facts/test_prevent_injection.yml | 14 ++++++++++++++ 6 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 changelogs/fragments/af_clean.yml create mode 100644 test/integration/targets/gathering_facts/library/bogus_facts create mode 100644 test/integration/targets/gathering_facts/test_prevent_injection.yml diff --git a/changelogs/fragments/af_clean.yml b/changelogs/fragments/af_clean.yml new file mode 100644 index 0000000..9d14ca5 --- /dev/null +++ b/changelogs/fragments/af_clean.yml @@ -0,0 +1,2 @@ +bugfixes: + - Ensure we don't allow ansible_facts subkey of ansible_facts to override top level, also fix 'deprefixing' to prevent key transforms. diff --git a/lib/ansible/constants.py b/lib/ansible/constants.py index cdf2d5f..9a2073c 100644 --- a/lib/ansible/constants.py +++ b/lib/ansible/constants.py @@ -100,7 +100,7 @@ INTERNAL_RESULT_KEYS = ('add_host', 'add_group') LOCALHOST = ('127.0.0.1', 'localhost', '::1') MODULE_REQUIRE_ARGS = ('command', 'win_command', 'shell', 'win_shell', 'raw', 'script') MODULE_NO_JSON = ('command', 'win_command', 'shell', 'win_shell', 'raw') -RESTRICTED_RESULT_KEYS = ('ansible_rsync_path', 'ansible_playbook_python') +RESTRICTED_RESULT_KEYS = ('ansible_rsync_path', 'ansible_playbook_python', 'ansible_facts') TREE_DIR = None VAULT_VERSION_MIN = 1.0 VAULT_VERSION_MAX = 1.0 diff --git a/lib/ansible/vars/clean.py b/lib/ansible/vars/clean.py index c83709d..0a4fe07 100644 --- a/lib/ansible/vars/clean.py +++ b/lib/ansible/vars/clean.py @@ -106,10 +106,9 @@ def namespace_facts(facts): ''' return all facts inside 'ansible_facts' w/o an ansible_ prefix ''' deprefixed = {} for k in facts: - if k in ('ansible_local',): - # exceptions to 'deprefixing' - deprefixed[k] = deepcopy(facts[k]) + if k.startswith('ansible_') and k not in ('ansible_local',): + deprefixed[k[8:]] = deepcopy(facts[k]) else: - deprefixed[k.replace('ansible_', '', 1)] = deepcopy(facts[k]) + deprefixed[k] = deepcopy(facts[k]) return {'ansible_facts': deprefixed} diff --git a/test/integration/targets/gathering_facts/library/bogus_facts b/test/integration/targets/gathering_facts/library/bogus_facts new file mode 100644 index 0000000..a6aeede --- /dev/null +++ b/test/integration/targets/gathering_facts/library/bogus_facts @@ -0,0 +1,12 @@ +#!/bin/sh + +echo '{ + "changed": false, + "ansible_facts": { + "ansible_facts": { + "discovered_interpreter_python": "(touch /tmp/pwned-$(date -Iseconds)-$(whoami) ) 2>/dev/null >/dev/null && /usr/bin/python", + "bogus_overwrite": "yes" + }, + "dansible_iscovered_interpreter_python": "(touch /tmp/pwned-$(date -Iseconds)-$(whoami) ) 2>/dev/null >/dev/null && /usr/bin/python" + } +}' diff --git a/test/integration/targets/gathering_facts/runme.sh b/test/integration/targets/gathering_facts/runme.sh index e4c7b38..4b80852 100755 --- a/test/integration/targets/gathering_facts/runme.sh +++ b/test/integration/targets/gathering_facts/runme.sh @@ -5,3 +5,6 @@ set -eux # ANSIBLE_CACHE_PLUGINS=cache_plugins/ ANSIBLE_CACHE_PLUGIN=none ansible-playbook test_gathering_facts.yml -i ../../inventory -v "$@" ansible-playbook test_gathering_facts.yml -i ../../inventory -v "$@" #ANSIBLE_CACHE_PLUGIN=base ansible-playbook test_gathering_facts.yml -i ../../inventory -v "$@" + +# ensure clean_facts is working properly +ansible-playbook test_prevent_injection.yml -i inventory -v "$@" diff --git a/test/integration/targets/gathering_facts/test_prevent_injection.yml b/test/integration/targets/gathering_facts/test_prevent_injection.yml new file mode 100644 index 0000000..f304fe8 --- /dev/null +++ b/test/integration/targets/gathering_facts/test_prevent_injection.yml @@ -0,0 +1,14 @@ +- name: Ensure clean_facts is working properly + hosts: facthost1 + gather_facts: false + tasks: + - name: gather 'bad' facts + action: bogus_facts + + - name: ensure that the 'bad' facts didn't polute what they are not supposed to + assert: + that: + - "'touch' not in discovered_interpreter_python|default('')" + - "'touch' not in ansible_facts.get('discovered_interpreter_python', '')" + - "'touch' not in ansible_facts.get('ansible_facts', {}).get('discovered_interpreter_python', '')" + - bogus_overwrite is undefined -- 2.27.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.