Prevent local code execution via the raw module
The raw module had not been restricted to remote nodes so jobs could run arbitrary code on the executor. Change-Id: I1b37eac65ef59ca749f55117a678c38969e86ead
This commit is contained in:
parent
3c73474c07
commit
5ae25f004a
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The raw module had not been blocked for local tasks. This could be used
|
||||||
|
to bypass protection and execute commands on the executor.
|
3
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml
vendored
Normal file
3
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml
vendored
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
- hosts: all
|
||||||
|
roles:
|
||||||
|
- raw-test-delegate
|
11
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml
vendored
Normal file
11
tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml
vendored
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- raw-test-localhost
|
||||||
|
|
||||||
|
- hosts: 127.0.0.1
|
||||||
|
roles:
|
||||||
|
- raw-test-localhost
|
||||||
|
|
||||||
|
- hosts: "::1"
|
||||||
|
roles:
|
||||||
|
- raw-test-localhost
|
|
@ -0,0 +1,5 @@
|
||||||
|
- include: script-delegate.yaml
|
||||||
|
with_items:
|
||||||
|
- ::1
|
||||||
|
- 127.0.0.1
|
||||||
|
- localhost
|
|
@ -0,0 +1,11 @@
|
||||||
|
- name: Raw
|
||||||
|
raw: echo 123
|
||||||
|
delegate_to: "{{ item }}"
|
||||||
|
register: result
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.failed == true"
|
||||||
|
- "'Executing local code is prohibited' in result.msg"
|
||||||
|
msg: Raw must fail due to local code execution restriction
|
|
@ -0,0 +1,10 @@
|
||||||
|
- name: Raw
|
||||||
|
raw: echo 123
|
||||||
|
register: result
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.failed == true"
|
||||||
|
- "'Executing local code is prohibited' in result.msg"
|
||||||
|
msg: Script must fail due to local code execution restriction
|
|
@ -147,6 +147,12 @@ class TestActionModules(AnsibleZuulTestCase):
|
||||||
def test_raw_module(self):
|
def test_raw_module(self):
|
||||||
self._run_job('raw-good', 'SUCCESS')
|
self._run_job('raw-good', 'SUCCESS')
|
||||||
|
|
||||||
|
# raw-delegate does multiple tests with various delegates. It
|
||||||
|
# asserts by itself within ansible so we
|
||||||
|
# expect SUCCESS here.
|
||||||
|
self._run_job('raw-delegate', 'SUCCESS')
|
||||||
|
self._run_job('raw-localhost', 'SUCCESS')
|
||||||
|
|
||||||
def test_script_module(self):
|
def test_script_module(self):
|
||||||
self._run_job('script-good', 'SUCCESS')
|
self._run_job('script-good', 'SUCCESS')
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Copyright 2019 BMW Group
|
||||||
|
#
|
||||||
|
# This module is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This software is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this software. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
|
||||||
|
from ansible.errors import AnsibleError
|
||||||
|
from zuul.ansible import paths
|
||||||
|
raw = paths._import_ansible_action_plugin("raw")
|
||||||
|
|
||||||
|
|
||||||
|
class ActionModule(raw.ActionModule):
|
||||||
|
|
||||||
|
def run(self, tmp=None, task_vars=None):
|
||||||
|
|
||||||
|
if not paths._is_official_module(self):
|
||||||
|
return paths._fail_module_dict(self._task.action)
|
||||||
|
|
||||||
|
if paths._is_localhost_task(self):
|
||||||
|
raise AnsibleError("Executing local code is prohibited")
|
||||||
|
|
||||||
|
return super(ActionModule, self).run(tmp, task_vars)
|
Loading…
Reference in New Issue