summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-11-28 19:24:44 +0000
committerGerrit Code Review <review@openstack.org>2018-11-28 19:24:44 +0000
commit2728e5d4adac81b3c79c6a453676565fc10fda9d (patch)
tree15b7a4403267e07213ae4b6fbe32f1d72ccf1222
parent21f29820c498f8bea28c25fe6f62a51590919af1 (diff)
parent8715505e6d38c092257179b8a089a2a560df5e58 (diff)
Merge "executor: harden add_host usage"3.3.1
-rw-r--r--releasenotes/notes/restrict-add-host-f82bff723568a025.yaml7
-rw-r--r--zuul/ansible/action/add_host.py43
2 files changed, 50 insertions, 0 deletions
diff --git a/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
new file mode 100644
index 0000000..59cb4e5
--- /dev/null
+++ b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
@@ -0,0 +1,7 @@
1---
2security:
3 - |
4 The add_host module options are restricted to a hostname, port, user and
5 password. Previously, malicious options could be used to bypass protection
6 and execute tasks on the executor. Only ssh and kubectl connection
7 are authorized.
diff --git a/zuul/ansible/action/add_host.py b/zuul/ansible/action/add_host.py
new file mode 100644
index 0000000..982c808
--- /dev/null
+++ b/zuul/ansible/action/add_host.py
@@ -0,0 +1,43 @@
1# Copyright 2018 Red Hat, Inc.
2#
3# This module is free software: you can redistribute it and/or modify
4# it under the terms of the GNU General Public License as published by
5# the Free Software Foundation, either version 3 of the License, or
6# (at your option) any later version.
7#
8# This software is distributed in the hope that it will be useful,
9# but WITHOUT ANY WARRANTY; without even the implied warranty of
10# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11# GNU General Public License for more details.
12#
13# You should have received a copy of the GNU General Public License
14# along with this software. If not, see <http://www.gnu.org/licenses/>.
15
16from zuul.ansible import paths
17add_host = paths._import_ansible_action_plugin("add_host")
18
19
20class ActionModule(add_host.ActionModule):
21
22 def run(self, tmp=None, task_vars=None):
23 safe_args = set((
24 'ansible_connection',
25 'ansible_host',
26 'ansible_port',
27 'ansible_user'
28 'ansible_password',
29 'ansible_ssh_host',
30 'ansible_ssh_port'
31 'ansible_ssh_user',
32 'ansible_ssh_pass',
33 ))
34 args = set(filter(
35 lambda x: x.startswith('ansible_'), self._task.args.keys()))
36 conn = self._task.args.get('ansible_connection', 'ssh')
37 if args.issubset(safe_args) and conn in ('kubectl', 'ssh'):
38 return super(ActionModule, self).run(tmp, task_vars)
39
40 return dict(
41 failed=True,
42 msg="Adding hosts %s with %s to the inventory is prohibited" % (
43 conn, " ".join(args.difference(safe_args))))