executor: harden add_host usage

Since commit d07bc25fc2446b2291bcc50bb3e5d4485630e000, it is possible for an untrusted playbook to execute commands on the executor host. This change restores the add_host restriction and white-lists the intended use case. Change-Id: I36cc604c62a50c95260d076a63a53f28b197792d
author: Tristan Cacqueray <tdecacqu@redhat.com> 2018-11-22 07:21:57 +0000
committer: Tobias Henkel <tobias.henkel@bmw.de> 2018-11-28 08:27:11 +0100
commit: 8715505e6d38c092257179b8a089a2a560df5e58 (patch)
tree: 03a4f1d6455588ffac40ae306a537e031153c03d
parent: 8a58a358d12b719a4f45410c185b3df2e25f666c (diff)
download: zuul-8715505e6d38c092257179b8a089a2a560df5e58.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
new file mode 100644
index 000000000..59cb4e53d
--- /dev/null
+++ b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The add_host module options are restricted to a hostname, port, user and
+    password. Previously, malicious options could be used to bypass protection
+    and execute tasks on the executor. Only ssh and kubectl connection
+    are authorized.
diff --git a/zuul/ansible/action/add_host.py b/zuul/ansible/action/add_host.py
new file mode 100644
index 000000000..982c8085c
--- /dev/null
+++ b/zuul/ansible/action/add_host.py
@@ -0,0 +1,43 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# This module is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
+
+from zuul.ansible import paths
+add_host = paths._import_ansible_action_plugin("add_host")
+
+
+class ActionModule(add_host.ActionModule):
+
+    def run(self, tmp=None, task_vars=None):
+        safe_args = set((
+            'ansible_connection',
+            'ansible_host',
+            'ansible_port',
+            'ansible_user'
+            'ansible_password',
+            'ansible_ssh_host',
+            'ansible_ssh_port'
+            'ansible_ssh_user',
+            'ansible_ssh_pass',
+        ))
+        args = set(filter(
+            lambda x: x.startswith('ansible_'), self._task.args.keys()))
+        conn = self._task.args.get('ansible_connection', 'ssh')
+        if args.issubset(safe_args) and conn in ('kubectl', 'ssh'):
+            return super(ActionModule, self).run(tmp, task_vars)
+
+        return dict(
+            failed=True,
+            msg="Adding hosts %s with %s to the inventory is prohibited" % (
+                conn, " ".join(args.difference(safe_args))))
author	Tristan Cacqueray <tdecacqu@redhat.com>	2018-11-22 07:21:57 +0000
committer	Tobias Henkel <tobias.henkel@bmw.de>	2018-11-28 08:27:11 +0100
commit	8715505e6d38c092257179b8a089a2a560df5e58 (patch)
tree	03a4f1d6455588ffac40ae306a537e031153c03d
parent	8a58a358d12b719a4f45410c185b3df2e25f666c (diff)
download	zuul-8715505e6d38c092257179b8a089a2a560df5e58.tar.gz