executor: harden add_host usage

Since commit d07bc25fc2446b2291bcc50bb3e5d4485630e000, it is possible for an untrusted playbook to execute commands on the executor host. This change restores the add_host restriction and white-lists the intended use case. Change-Id: I36cc604c62a50c95260d076a63a53f28b197792d
2018-11-22 07:21:57 +00:00 · 2018-11-22 07:21:57 +00:00 · 8715505e6d
commit 8715505e6d
parent 8a58a358d1
2 changed files with 50 additions and 0 deletions
--- a/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
+++ b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The add_host module options are restricted to a hostname, port, user and
+    password. Previously, malicious options could be used to bypass protection
+    and execute tasks on the executor. Only ssh and kubectl connection
+    are authorized.
--- a/zuul/ansible/action/add_host.py
+++ b/zuul/ansible/action/add_host.py
@ -0,0 +1,43 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# This module is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
+
+from zuul.ansible import paths
+add_host = paths._import_ansible_action_plugin("add_host")
+
+
+class ActionModule(add_host.ActionModule):
+
+    def run(self, tmp=None, task_vars=None):
+        safe_args = set((
+            'ansible_connection',
+            'ansible_host',
+            'ansible_port',
+            'ansible_user'
+            'ansible_password',
+            'ansible_ssh_host',
+            'ansible_ssh_port'
+            'ansible_ssh_user',
+            'ansible_ssh_pass',
+        ))
+        args = set(filter(
+            lambda x: x.startswith('ansible_'), self._task.args.keys()))
+        conn = self._task.args.get('ansible_connection', 'ssh')
+        if args.issubset(safe_args) and conn in ('kubectl', 'ssh'):
+            return super(ActionModule, self).run(tmp, task_vars)
+
+        return dict(
+            failed=True,
+            msg="Adding hosts %s with %s to the inventory is prohibited" % (
+                conn, " ".join(args.difference(safe_args))))