summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Henkel <tobias.henkel@bmw.de>2019-02-17 17:10:55 +0100
committerTobias Henkel <tobias.henkel@bmw.de>2019-03-11 17:49:38 +0100
commit5ae25f004a32ea76558564612903cef917c3e5b9 (patch)
tree9a4ace98963a49c246c341844625bd13701d0cc1
parent3c73474c0775ad21712c86502096a5ce64e5ac35 (diff)
Prevent local code execution via the raw module3.6.1
The raw module had not been restricted to remote nodes so jobs could run arbitrary code on the executor. Change-Id: I1b37eac65ef59ca749f55117a678c38969e86ead
Notes
Notes (review): Code-Review+2: Monty Taylor <mordred@inaugust.com> Code-Review+2: James E. Blair <corvus@inaugust.com> Workflow+1: James E. Blair <corvus@inaugust.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Mon, 11 Mar 2019 17:45:41 +0000 Reviewed-on: https://review.openstack.org/642518 Project: openstack-infra/zuul Branch: refs/heads/master
-rw-r--r--releasenotes/notes/localhost-raw-d841413f8743f8b8.yaml5
-rw-r--r--tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml3
-rw-r--r--tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml11
-rw-r--r--tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml5
-rw-r--r--tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml11
-rw-r--r--tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml10
-rw-r--r--tests/remote/test_remote_action_modules.py6
-rw-r--r--zuul/ansible/action/raw.py32
-rw-r--r--zuul/ansible/action/raw.pyi0
9 files changed, 83 insertions, 0 deletions
diff --git a/releasenotes/notes/localhost-raw-d841413f8743f8b8.yaml b/releasenotes/notes/localhost-raw-d841413f8743f8b8.yaml
new file mode 100644
index 0000000..33854ca
--- /dev/null
+++ b/releasenotes/notes/localhost-raw-d841413f8743f8b8.yaml
@@ -0,0 +1,5 @@
1---
2security:
3 - |
4 The raw module had not been blocked for local tasks. This could be used
5 to bypass protection and execute commands on the executor.
diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml
new file mode 100644
index 0000000..0768287
--- /dev/null
+++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml
@@ -0,0 +1,3 @@
1- hosts: all
2 roles:
3 - raw-test-delegate
diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml
new file mode 100644
index 0000000..8c29702
--- /dev/null
+++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml
@@ -0,0 +1,11 @@
1- hosts: localhost
2 roles:
3 - raw-test-localhost
4
5- hosts: 127.0.0.1
6 roles:
7 - raw-test-localhost
8
9- hosts: "::1"
10 roles:
11 - raw-test-localhost
diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml
new file mode 100644
index 0000000..ccdf9a4
--- /dev/null
+++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml
@@ -0,0 +1,5 @@
1- include: script-delegate.yaml
2 with_items:
3 - ::1
4 - 127.0.0.1
5 - localhost
diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml
new file mode 100644
index 0000000..339c1b7
--- /dev/null
+++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml
@@ -0,0 +1,11 @@
1- name: Raw
2 raw: echo 123
3 delegate_to: "{{ item }}"
4 register: result
5 ignore_errors: true
6
7- assert:
8 that:
9 - "result.failed == true"
10 - "'Executing local code is prohibited' in result.msg"
11 msg: Raw must fail due to local code execution restriction
diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml
new file mode 100644
index 0000000..5b0f8c6
--- /dev/null
+++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml
@@ -0,0 +1,10 @@
1- name: Raw
2 raw: echo 123
3 register: result
4 ignore_errors: true
5
6- assert:
7 that:
8 - "result.failed == true"
9 - "'Executing local code is prohibited' in result.msg"
10 msg: Script must fail due to local code execution restriction
diff --git a/tests/remote/test_remote_action_modules.py b/tests/remote/test_remote_action_modules.py
index c8198cb..4e2881e 100644
--- a/tests/remote/test_remote_action_modules.py
+++ b/tests/remote/test_remote_action_modules.py
@@ -147,6 +147,12 @@ class TestActionModules(AnsibleZuulTestCase):
147 def test_raw_module(self): 147 def test_raw_module(self):
148 self._run_job('raw-good', 'SUCCESS') 148 self._run_job('raw-good', 'SUCCESS')
149 149
150 # raw-delegate does multiple tests with various delegates. It
151 # asserts by itself within ansible so we
152 # expect SUCCESS here.
153 self._run_job('raw-delegate', 'SUCCESS')
154 self._run_job('raw-localhost', 'SUCCESS')
155
150 def test_script_module(self): 156 def test_script_module(self):
151 self._run_job('script-good', 'SUCCESS') 157 self._run_job('script-good', 'SUCCESS')
152 158
diff --git a/zuul/ansible/action/raw.py b/zuul/ansible/action/raw.py
new file mode 100644
index 0000000..fb1e1a6
--- /dev/null
+++ b/zuul/ansible/action/raw.py
@@ -0,0 +1,32 @@
1# Copyright 2019 BMW Group
2#
3# This module is free software: you can redistribute it and/or modify
4# it under the terms of the GNU General Public License as published by
5# the Free Software Foundation, either version 3 of the License, or
6# (at your option) any later version.
7#
8# This software is distributed in the hope that it will be useful,
9# but WITHOUT ANY WARRANTY; without even the implied warranty of
10# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11# GNU General Public License for more details.
12#
13# You should have received a copy of the GNU General Public License
14# along with this software. If not, see <http://www.gnu.org/licenses/>.
15
16
17from ansible.errors import AnsibleError
18from zuul.ansible import paths
19raw = paths._import_ansible_action_plugin("raw")
20
21
22class ActionModule(raw.ActionModule):
23
24 def run(self, tmp=None, task_vars=None):
25
26 if not paths._is_official_module(self):
27 return paths._fail_module_dict(self._task.action)
28
29 if paths._is_localhost_task(self):
30 raise AnsibleError("Executing local code is prohibited")
31
32 return super(ActionModule, self).run(tmp, task_vars)
diff --git a/zuul/ansible/action/raw.pyi b/zuul/ansible/action/raw.pyi
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/zuul/ansible/action/raw.pyi