summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTristan Cacqueray <tdecacqu@redhat.com>2018-11-22 07:21:57 +0000
committerTobias Henkel <tobias.henkel@bmw.de>2018-11-28 08:27:11 +0100
commit8715505e6d38c092257179b8a089a2a560df5e58 (patch)
tree03a4f1d6455588ffac40ae306a537e031153c03d
parent8a58a358d12b719a4f45410c185b3df2e25f666c (diff)
executor: harden add_host usage
Since commit d07bc25fc2446b2291bcc50bb3e5d4485630e000, it is possible for an untrusted playbook to execute commands on the executor host. This change restores the add_host restriction and white-lists the intended use case. Change-Id: I36cc604c62a50c95260d076a63a53f28b197792d
Notes
Notes (review): Code-Review+2: Tobias Henkel <tobias.henkel@bmw.de> Code-Review+2: Monty Taylor <mordred@inaugust.com> Workflow+1: Monty Taylor <mordred@inaugust.com> Code-Review+2: James E. Blair <corvus@inaugust.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 28 Nov 2018 19:24:44 +0000 Reviewed-on: https://review.openstack.org/620635 Project: openstack-infra/zuul Branch: refs/heads/master
-rw-r--r--releasenotes/notes/restrict-add-host-f82bff723568a025.yaml7
-rw-r--r--zuul/ansible/action/add_host.py43
2 files changed, 50 insertions, 0 deletions
diff --git a/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
new file mode 100644
index 0000000..59cb4e5
--- /dev/null
+++ b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
@@ -0,0 +1,7 @@
1---
2security:
3 - |
4 The add_host module options are restricted to a hostname, port, user and
5 password. Previously, malicious options could be used to bypass protection
6 and execute tasks on the executor. Only ssh and kubectl connection
7 are authorized.
diff --git a/zuul/ansible/action/add_host.py b/zuul/ansible/action/add_host.py
new file mode 100644
index 0000000..982c808
--- /dev/null
+++ b/zuul/ansible/action/add_host.py
@@ -0,0 +1,43 @@
1# Copyright 2018 Red Hat, Inc.
2#
3# This module is free software: you can redistribute it and/or modify
4# it under the terms of the GNU General Public License as published by
5# the Free Software Foundation, either version 3 of the License, or
6# (at your option) any later version.
7#
8# This software is distributed in the hope that it will be useful,
9# but WITHOUT ANY WARRANTY; without even the implied warranty of
10# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11# GNU General Public License for more details.
12#
13# You should have received a copy of the GNU General Public License
14# along with this software. If not, see <http://www.gnu.org/licenses/>.
15
16from zuul.ansible import paths
17add_host = paths._import_ansible_action_plugin("add_host")
18
19
20class ActionModule(add_host.ActionModule):
21
22 def run(self, tmp=None, task_vars=None):
23 safe_args = set((
24 'ansible_connection',
25 'ansible_host',
26 'ansible_port',
27 'ansible_user'
28 'ansible_password',
29 'ansible_ssh_host',
30 'ansible_ssh_port'
31 'ansible_ssh_user',
32 'ansible_ssh_pass',
33 ))
34 args = set(filter(
35 lambda x: x.startswith('ansible_'), self._task.args.keys()))
36 conn = self._task.args.get('ansible_connection', 'ssh')
37 if args.issubset(safe_args) and conn in ('kubectl', 'ssh'):
38 return super(ActionModule, self).run(tmp, task_vars)
39
40 return dict(
41 failed=True,
42 msg="Adding hosts %s with %s to the inventory is prohibited" % (
43 conn, " ".join(args.difference(safe_args))))