executor: harden add_host usage

Since commit d07bc25fc2, it is possible
for an untrusted playbook to execute commands on the executor host.
This change restores the add_host restriction and white-lists the
intended use case.

Change-Id: I36cc604c62a50c95260d076a63a53f28b197792d
This commit is contained in:
Tristan Cacqueray 2018-11-22 07:21:57 +00:00 committed by Tobias Henkel
parent 8a58a358d1
commit 8715505e6d
No known key found for this signature in database
GPG Key ID: 03750DEC158E5FA2
2 changed files with 50 additions and 0 deletions

View File

@ -0,0 +1,7 @@
---
security:
- |
The add_host module options are restricted to a hostname, port, user and
password. Previously, malicious options could be used to bypass protection
and execute tasks on the executor. Only ssh and kubectl connection
are authorized.

View File

@ -0,0 +1,43 @@
# Copyright 2018 Red Hat, Inc.
#
# This module is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this software. If not, see <http://www.gnu.org/licenses/>.
from zuul.ansible import paths
add_host = paths._import_ansible_action_plugin("add_host")
class ActionModule(add_host.ActionModule):
def run(self, tmp=None, task_vars=None):
safe_args = set((
'ansible_connection',
'ansible_host',
'ansible_port',
'ansible_user'
'ansible_password',
'ansible_ssh_host',
'ansible_ssh_port'
'ansible_ssh_user',
'ansible_ssh_pass',
))
args = set(filter(
lambda x: x.startswith('ansible_'), self._task.args.keys()))
conn = self._task.args.get('ansible_connection', 'ssh')
if args.issubset(safe_args) and conn in ('kubectl', 'ssh'):
return super(ActionModule, self).run(tmp, task_vars)
return dict(
failed=True,
msg="Adding hosts %s with %s to the inventory is prohibited" % (
conn, " ".join(args.difference(safe_args))))