Prevent local code execution via the raw module
The raw module had not been restricted to remote nodes so jobs could run arbitrary code on the executor. Change-Id: I1b37eac65ef59ca749f55117a678c38969e86ead
This commit is contained in:
parent
3c73474c07
commit
5ae25f004a
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
The raw module had not been blocked for local tasks. This could be used
|
||||
to bypass protection and execute commands on the executor.
|
3
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml
vendored
Normal file
3
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
- hosts: all
|
||||
roles:
|
||||
- raw-test-delegate
|
11
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml
vendored
Normal file
11
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml
vendored
Normal file
|
@ -0,0 +1,11 @@
|
|||
- hosts: localhost
|
||||
roles:
|
||||
- raw-test-localhost
|
||||
|
||||
- hosts: 127.0.0.1
|
||||
roles:
|
||||
- raw-test-localhost
|
||||
|
||||
- hosts: "::1"
|
||||
roles:
|
||||
- raw-test-localhost
|
|
@ -0,0 +1,5 @@
|
|||
- include: script-delegate.yaml
|
||||
with_items:
|
||||
- ::1
|
||||
- 127.0.0.1
|
||||
- localhost
|
|
@ -0,0 +1,11 @@
|
|||
- name: Raw
|
||||
raw: echo 123
|
||||
delegate_to: "{{ item }}"
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result.failed == true"
|
||||
- "'Executing local code is prohibited' in result.msg"
|
||||
msg: Raw must fail due to local code execution restriction
|
|
@ -0,0 +1,10 @@
|
|||
- name: Raw
|
||||
raw: echo 123
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result.failed == true"
|
||||
- "'Executing local code is prohibited' in result.msg"
|
||||
msg: Script must fail due to local code execution restriction
|
|
@ -147,6 +147,12 @@ class TestActionModules(AnsibleZuulTestCase):
|
|||
def test_raw_module(self):
|
||||
self._run_job('raw-good', 'SUCCESS')
|
||||
|
||||
# raw-delegate does multiple tests with various delegates. It
|
||||
# asserts by itself within ansible so we
|
||||
# expect SUCCESS here.
|
||||
self._run_job('raw-delegate', 'SUCCESS')
|
||||
self._run_job('raw-localhost', 'SUCCESS')
|
||||
|
||||
def test_script_module(self):
|
||||
self._run_job('script-good', 'SUCCESS')
|
||||
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
# Copyright 2019 BMW Group
|
||||
#
|
||||
# This module is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This software is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this software. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
|
||||
from ansible.errors import AnsibleError
|
||||
from zuul.ansible import paths
|
||||
raw = paths._import_ansible_action_plugin("raw")
|
||||
|
||||
|
||||
class ActionModule(raw.ActionModule):
|
||||
|
||||
def run(self, tmp=None, task_vars=None):
|
||||
|
||||
if not paths._is_official_module(self):
|
||||
return paths._fail_module_dict(self._task.action)
|
||||
|
||||
if paths._is_localhost_task(self):
|
||||
raise AnsibleError("Executing local code is prohibited")
|
||||
|
||||
return super(ActionModule, self).run(tmp, task_vars)
|
Loading…
Reference in New Issue