Prevent local code execution via the raw module

The raw module had not been restricted to remote nodes so jobs could
run arbitrary code on the executor.

Change-Id: I1b37eac65ef59ca749f55117a678c38969e86ead
This commit is contained in:
Tobias Henkel 2019-02-17 17:10:55 +01:00
parent 3c73474c07
commit 5ae25f004a
No known key found for this signature in database
GPG Key ID: 03750DEC158E5FA2
9 changed files with 83 additions and 0 deletions

View File

@ -0,0 +1,5 @@
---
security:
- |
The raw module had not been blocked for local tasks. This could be used
to bypass protection and execute commands on the executor.

View File

@ -0,0 +1,3 @@
- hosts: all
roles:
- raw-test-delegate

View File

@ -0,0 +1,11 @@
- hosts: localhost
roles:
- raw-test-localhost
- hosts: 127.0.0.1
roles:
- raw-test-localhost
- hosts: "::1"
roles:
- raw-test-localhost

View File

@ -0,0 +1,5 @@
- include: script-delegate.yaml
with_items:
- ::1
- 127.0.0.1
- localhost

View File

@ -0,0 +1,11 @@
- name: Raw
raw: echo 123
delegate_to: "{{ item }}"
register: result
ignore_errors: true
- assert:
that:
- "result.failed == true"
- "'Executing local code is prohibited' in result.msg"
msg: Raw must fail due to local code execution restriction

View File

@ -0,0 +1,10 @@
- name: Raw
raw: echo 123
register: result
ignore_errors: true
- assert:
that:
- "result.failed == true"
- "'Executing local code is prohibited' in result.msg"
msg: Script must fail due to local code execution restriction

View File

@ -147,6 +147,12 @@ class TestActionModules(AnsibleZuulTestCase):
def test_raw_module(self):
self._run_job('raw-good', 'SUCCESS')
# raw-delegate does multiple tests with various delegates. It
# asserts by itself within ansible so we
# expect SUCCESS here.
self._run_job('raw-delegate', 'SUCCESS')
self._run_job('raw-localhost', 'SUCCESS')
def test_script_module(self):
self._run_job('script-good', 'SUCCESS')

View File

@ -0,0 +1,32 @@
# Copyright 2019 BMW Group
#
# This module is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this software. If not, see <http://www.gnu.org/licenses/>.
from ansible.errors import AnsibleError
from zuul.ansible import paths
raw = paths._import_ansible_action_plugin("raw")
class ActionModule(raw.ActionModule):
def run(self, tmp=None, task_vars=None):
if not paths._is_official_module(self):
return paths._fail_module_dict(self._task.action)
if paths._is_localhost_task(self):
raise AnsibleError("Executing local code is prohibited")
return super(ActionModule, self).run(tmp, task_vars)

View File