Browse Source

executor: harden add_host usage

Since commit d07bc25fc2446b2291bcc50bb3e5d4485630e000, it is possible
for an untrusted playbook to execute commands on the executor host.
This change restores the add_host restriction and white-lists the
intended use case.

Change-Id: I36cc604c62a50c95260d076a63a53f28b197792d
tags/3.3.1^2
Tristan Cacqueray 6 months ago
parent
commit
8715505e6d
No account linked to committer's email address

+ 7
- 0
releasenotes/notes/restrict-add-host-f82bff723568a025.yaml View File

@@ -0,0 +1,7 @@
1
+---
2
+security:
3
+  - |
4
+    The add_host module options are restricted to a hostname, port, user and
5
+    password. Previously, malicious options could be used to bypass protection
6
+    and execute tasks on the executor. Only ssh and kubectl connection
7
+    are authorized.

+ 43
- 0
zuul/ansible/action/add_host.py View File

@@ -0,0 +1,43 @@
1
+# Copyright 2018 Red Hat, Inc.
2
+#
3
+# This module is free software: you can redistribute it and/or modify
4
+# it under the terms of the GNU General Public License as published by
5
+# the Free Software Foundation, either version 3 of the License, or
6
+# (at your option) any later version.
7
+#
8
+# This software is distributed in the hope that it will be useful,
9
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
10
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11
+# GNU General Public License for more details.
12
+#
13
+# You should have received a copy of the GNU General Public License
14
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
15
+
16
+from zuul.ansible import paths
17
+add_host = paths._import_ansible_action_plugin("add_host")
18
+
19
+
20
+class ActionModule(add_host.ActionModule):
21
+
22
+    def run(self, tmp=None, task_vars=None):
23
+        safe_args = set((
24
+            'ansible_connection',
25
+            'ansible_host',
26
+            'ansible_port',
27
+            'ansible_user'
28
+            'ansible_password',
29
+            'ansible_ssh_host',
30
+            'ansible_ssh_port'
31
+            'ansible_ssh_user',
32
+            'ansible_ssh_pass',
33
+        ))
34
+        args = set(filter(
35
+            lambda x: x.startswith('ansible_'), self._task.args.keys()))
36
+        conn = self._task.args.get('ansible_connection', 'ssh')
37
+        if args.issubset(safe_args) and conn in ('kubectl', 'ssh'):
38
+            return super(ActionModule, self).run(tmp, task_vars)
39
+
40
+        return dict(
41
+            failed=True,
42
+            msg="Adding hosts %s with %s to the inventory is prohibited" % (
43
+                conn, " ".join(args.difference(safe_args))))

Loading…
Cancel
Save