diff options
| author | Brian Coca <bcoca@users.noreply.github.com> | 2020-04-08 14:28:51 -0400 |
|---|---|---|
| committer | Matt Clay <matt@mystile.com> | 2020-04-15 12:47:45 -0700 |
| commit | 6f75aa26648de5d9882528c3862f5127230bf31f (patch) | |
| tree | f96524a10c631b188d87c52686e507a8a14b0794 /test | |
| parent | 2a563514f070a0a8ba64aebf6bce21194be96c73 (diff) | |
| download | ansible-6f75aa26648de5d9882528c3862f5127230bf31f.tar.gz | |
fixed fetch traversal from slurp (#68720)
* fixed fetch traversal from slurp
* ignore slurp result for dest
* fixed naming when source is relative
* added tests with fake slurp
* moved existing role tests into runme.sh
* normalized on action excepts
* moved dest transform down to when needed
* added is_subpath check
fixes #67793
CVE-2019-3828
(cherry picked from commit ba87c225cd13343c35075fe7fc15b4cf1343fed6)
Diffstat (limited to 'test')
| -rw-r--r-- | test/integration/targets/fetch/aliases | 1 | ||||
| -rw-r--r-- | test/integration/targets/fetch/injection/avoid_slurp_return.yml | 26 | ||||
| -rw-r--r-- | test/integration/targets/fetch/injection/here.txt | 1 | ||||
| -rw-r--r-- | test/integration/targets/fetch/injection/library/slurp.py | 29 | ||||
| -rw-r--r-- | test/integration/targets/fetch/roles/fetch_tests/meta/main.yml (renamed from test/integration/targets/fetch/meta/main.yml) | 1 | ||||
| -rw-r--r-- | test/integration/targets/fetch/roles/fetch_tests/tasks/main.yml (renamed from test/integration/targets/fetch/tasks/main.yml) | 0 | ||||
| -rw-r--r-- | test/integration/targets/fetch/run_fetch_tests.yml | 5 | ||||
| -rwxr-xr-x | test/integration/targets/fetch/runme.sh | 12 |
8 files changed, 74 insertions, 1 deletions
diff --git a/test/integration/targets/fetch/aliases b/test/integration/targets/fetch/aliases index 765b70da79..fb5d6faa35 100644 --- a/test/integration/targets/fetch/aliases +++ b/test/integration/targets/fetch/aliases @@ -1 +1,2 @@ shippable/posix/group2 +needs/target/setup_remote_tmp_dir diff --git a/test/integration/targets/fetch/injection/avoid_slurp_return.yml b/test/integration/targets/fetch/injection/avoid_slurp_return.yml new file mode 100644 index 0000000000..af62dcf4b8 --- /dev/null +++ b/test/integration/targets/fetch/injection/avoid_slurp_return.yml @@ -0,0 +1,26 @@ +- name: ensure that 'fake slurp' does not poison fetch source + hosts: localhost + gather_facts: False + tasks: + - name: fetch with relative source path + fetch: src=../injection/here.txt dest={{output_dir}} + become: true + register: islurp + + - name: fetch with normal source path + fetch: src=here.txt dest={{output_dir}} + become: true + register: islurp2 + + - name: ensure all is good in hollywood + assert: + that: + - "'..' not in islurp['dest']" + - "'..' not in islurp2['dest']" + - "'foo' not in islurp['dest']" + - "'foo' not in islurp2['dest']" + + - name: try to trip dest anyways + fetch: src=../injection/here.txt dest={{output_dir}} + become: true + register: islurp2 diff --git a/test/integration/targets/fetch/injection/here.txt b/test/integration/targets/fetch/injection/here.txt new file mode 100644 index 0000000000..493021b1c9 --- /dev/null +++ b/test/integration/targets/fetch/injection/here.txt @@ -0,0 +1 @@ +this is a test file diff --git a/test/integration/targets/fetch/injection/library/slurp.py b/test/integration/targets/fetch/injection/library/slurp.py new file mode 100644 index 0000000000..7b78ba1805 --- /dev/null +++ b/test/integration/targets/fetch/injection/library/slurp.py @@ -0,0 +1,29 @@ +#!/usr/bin/python +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + + +DOCUMENTATION = """ + module: fakeslurp + short_desciptoin: fake slurp module + description: + - this is a fake slurp module + options: + _notreal: + description: really not a real slurp + author: + - me +""" + +import json +import random + +bad_responses = ['../foo', '../../foo', '../../../foo', '/../../../foo', '/../foo', '//..//foo', '..//..//foo'] + + +def main(): + print(json.dumps(dict(changed=False, content='', encoding='base64', source=random.choice(bad_responses)))) + + +if __name__ == '__main__': + main() diff --git a/test/integration/targets/fetch/meta/main.yml b/test/integration/targets/fetch/roles/fetch_tests/meta/main.yml index cb6005d042..1810d4bec9 100644 --- a/test/integration/targets/fetch/meta/main.yml +++ b/test/integration/targets/fetch/roles/fetch_tests/meta/main.yml @@ -1,3 +1,2 @@ dependencies: - - prepare_tests - setup_remote_tmp_dir diff --git a/test/integration/targets/fetch/tasks/main.yml b/test/integration/targets/fetch/roles/fetch_tests/tasks/main.yml index 267ae0f0cd..267ae0f0cd 100644 --- a/test/integration/targets/fetch/tasks/main.yml +++ b/test/integration/targets/fetch/roles/fetch_tests/tasks/main.yml diff --git a/test/integration/targets/fetch/run_fetch_tests.yml b/test/integration/targets/fetch/run_fetch_tests.yml new file mode 100644 index 0000000000..f2ff1df3dd --- /dev/null +++ b/test/integration/targets/fetch/run_fetch_tests.yml @@ -0,0 +1,5 @@ +- name: call fetch_tests role + hosts: testhost + gather_facts: false + roles: + - fetch_tests diff --git a/test/integration/targets/fetch/runme.sh b/test/integration/targets/fetch/runme.sh new file mode 100755 index 0000000000..7e909dde09 --- /dev/null +++ b/test/integration/targets/fetch/runme.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +set -eux + +# setup required roles +ln -s ../../setup_remote_tmp_dir roles/setup_remote_tmp_dir + +# run old type role tests +ansible-playbook -i ../../inventory run_fetch_tests.yml -e "output_dir=${OUTPUT_DIR}" -v "$@" + +# run tests to avoid path injection from slurp when fetch uses become +ansible-playbook -i ../../inventory injection/avoid_slurp_return.yml -e "output_dir=${OUTPUT_DIR}" -v "$@" |