diff options
author | Tristan Cacqueray <tdecacqu@redhat.com> | 2018-11-22 07:21:57 +0000 |
---|---|---|
committer | Tobias Henkel <tobias.henkel@bmw.de> | 2018-11-28 08:27:11 +0100 |
commit | 8715505e6d38c092257179b8a089a2a560df5e58 (patch) | |
tree | 03a4f1d6455588ffac40ae306a537e031153c03d | |
parent | 8a58a358d12b719a4f45410c185b3df2e25f666c (diff) | |
download | zuul-8715505e6d38c092257179b8a089a2a560df5e58.tar.gz |
executor: harden add_host usage
Since commit d07bc25fc2446b2291bcc50bb3e5d4485630e000, it is possible
for an untrusted playbook to execute commands on the executor host.
This change restores the add_host restriction and white-lists the
intended use case.
Change-Id: I36cc604c62a50c95260d076a63a53f28b197792d
-rw-r--r-- | releasenotes/notes/restrict-add-host-f82bff723568a025.yaml | 7 | ||||
-rw-r--r-- | zuul/ansible/action/add_host.py | 43 |
2 files changed, 50 insertions, 0 deletions
diff --git a/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml new file mode 100644 index 000000000..59cb4e53d --- /dev/null +++ b/releasenotes/notes/restrict-add-host-f82bff723568a025.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + The add_host module options are restricted to a hostname, port, user and + password. Previously, malicious options could be used to bypass protection + and execute tasks on the executor. Only ssh and kubectl connection + are authorized. diff --git a/zuul/ansible/action/add_host.py b/zuul/ansible/action/add_host.py new file mode 100644 index 000000000..982c8085c --- /dev/null +++ b/zuul/ansible/action/add_host.py @@ -0,0 +1,43 @@ +# Copyright 2018 Red Hat, Inc. +# +# This module is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software. If not, see <http://www.gnu.org/licenses/>. + +from zuul.ansible import paths +add_host = paths._import_ansible_action_plugin("add_host") + + +class ActionModule(add_host.ActionModule): + + def run(self, tmp=None, task_vars=None): + safe_args = set(( + 'ansible_connection', + 'ansible_host', + 'ansible_port', + 'ansible_user' + 'ansible_password', + 'ansible_ssh_host', + 'ansible_ssh_port' + 'ansible_ssh_user', + 'ansible_ssh_pass', + )) + args = set(filter( + lambda x: x.startswith('ansible_'), self._task.args.keys())) + conn = self._task.args.get('ansible_connection', 'ssh') + if args.issubset(safe_args) and conn in ('kubectl', 'ssh'): + return super(ActionModule, self).run(tmp, task_vars) + + return dict( + failed=True, + msg="Adding hosts %s with %s to the inventory is prohibited" % ( + conn, " ".join(args.difference(safe_args)))) |