Browse Source

Prevent local code execution via the raw module

The raw module had not been restricted to remote nodes so jobs could
run arbitrary code on the executor.

Change-Id: I1b37eac65ef59ca749f55117a678c38969e86ead
tags/3.6.1^0
Tobias Henkel 3 months ago
parent
commit
5ae25f004a
No account linked to committer's email address

+ 5
- 0
releasenotes/notes/localhost-raw-d841413f8743f8b8.yaml View File

@@ -0,0 +1,5 @@
1
+---
2
+security:
3
+  - |
4
+    The raw module had not been blocked for local tasks. This could be used
5
+    to bypass protection and execute commands on the executor.

+ 3
- 0
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml View File

@@ -0,0 +1,3 @@
1
+- hosts: all
2
+  roles:
3
+    - raw-test-delegate

+ 11
- 0
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml View File

@@ -0,0 +1,11 @@
1
+- hosts: localhost
2
+  roles:
3
+    - raw-test-localhost
4
+
5
+- hosts: 127.0.0.1
6
+  roles:
7
+    - raw-test-localhost
8
+
9
+- hosts: "::1"
10
+  roles:
11
+    - raw-test-localhost

+ 5
- 0
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml View File

@@ -0,0 +1,5 @@
1
+- include: script-delegate.yaml
2
+  with_items:
3
+    - ::1
4
+    - 127.0.0.1
5
+    - localhost

+ 11
- 0
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml View File

@@ -0,0 +1,11 @@
1
+- name: Raw
2
+  raw: echo 123
3
+  delegate_to: "{{ item }}"
4
+  register: result
5
+  ignore_errors: true
6
+
7
+- assert:
8
+    that:
9
+      - "result.failed == true"
10
+      - "'Executing local code is prohibited' in result.msg"
11
+    msg: Raw must fail due to local code execution restriction

+ 10
- 0
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml View File

@@ -0,0 +1,10 @@
1
+- name: Raw
2
+  raw: echo 123
3
+  register: result
4
+  ignore_errors: true
5
+
6
+- assert:
7
+    that:
8
+      - "result.failed == true"
9
+      - "'Executing local code is prohibited' in result.msg"
10
+    msg: Script must fail due to local code execution restriction

+ 6
- 0
tests/remote/test_remote_action_modules.py View File

@@ -147,6 +147,12 @@ class TestActionModules(AnsibleZuulTestCase):
147 147
     def test_raw_module(self):
148 148
         self._run_job('raw-good', 'SUCCESS')
149 149
 
150
+        # raw-delegate does multiple tests with various delegates. It
151
+        # asserts by itself within ansible so we
152
+        # expect SUCCESS here.
153
+        self._run_job('raw-delegate', 'SUCCESS')
154
+        self._run_job('raw-localhost', 'SUCCESS')
155
+
150 156
     def test_script_module(self):
151 157
         self._run_job('script-good', 'SUCCESS')
152 158
 

+ 32
- 0
zuul/ansible/action/raw.py View File

@@ -0,0 +1,32 @@
1
+# Copyright 2019 BMW Group
2
+#
3
+# This module is free software: you can redistribute it and/or modify
4
+# it under the terms of the GNU General Public License as published by
5
+# the Free Software Foundation, either version 3 of the License, or
6
+# (at your option) any later version.
7
+#
8
+# This software is distributed in the hope that it will be useful,
9
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
10
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11
+# GNU General Public License for more details.
12
+#
13
+# You should have received a copy of the GNU General Public License
14
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
15
+
16
+
17
+from ansible.errors import AnsibleError
18
+from zuul.ansible import paths
19
+raw = paths._import_ansible_action_plugin("raw")
20
+
21
+
22
+class ActionModule(raw.ActionModule):
23
+
24
+    def run(self, tmp=None, task_vars=None):
25
+
26
+        if not paths._is_official_module(self):
27
+            return paths._fail_module_dict(self._task.action)
28
+
29
+        if paths._is_localhost_task(self):
30
+            raise AnsibleError("Executing local code is prohibited")
31
+
32
+        return super(ActionModule, self).run(tmp, task_vars)

+ 0
- 0
zuul/ansible/action/raw.pyi View File


Loading…
Cancel
Save