zuul/tasks at 3f3b74426363b45afc1493aeab629a3a00d37f01 - zuul - OpenDev: Free Software Needs Free Tools

History

Monty Taylor 788a40e75c Prevent execution of locally overridden core modules We greylist some modules in our action plugin blocking allowing them to execute local code as long as it falls within safe constraints. Due to the way ansible module loading works, a user could attack this by creating a module in a local role or adjacent to a playbook that has the same name as one of the modules we allow limited local execution. If they did that it would allow them to execute arbitrary python code on the executor. Find the path of the module that will be executed in these cases and if it is not within the ansible.modules package, disallow it. There are no circumstances in which this is ok. Change-Id: I7499e6b1091d745984ca36179de2793827c9f98f	2017-08-29 10:50:53 -05:00
..
main.yaml	Prevent execution of locally overridden core modules	2017-08-29 10:50:53 -05:00

Prevent execution of locally overridden core modules

We greylist some modules in our action plugin blocking allowing them to
execute local code as long as it falls within safe constraints. Due to
the way ansible module loading works, a user could attack this by
creating a module in a local role or adjacent to a playbook that has the
same name as one of the modules we allow limited local execution. If
they did that it would allow them to execute arbitrary python code on
the executor.

Find the path of the module that will be executed in these cases and if
it is not within the ansible.modules package, disallow it. There are no
circumstances in which this is ok.

Change-Id: I7499e6b1091d745984ca36179de2793827c9f98f

2017-08-29 10:50:53 -05:00

main.yaml

Prevent execution of locally overridden core modules

2017-08-29 10:50:53 -05:00