diff options
| author | Tobias Henkel <tobias.henkel@bmw.de> | 2019-02-17 17:10:55 +0100 |
|---|---|---|
| committer | Tobias Henkel <tobias.henkel@bmw.de> | 2019-03-11 17:49:38 +0100 |
| commit | 5ae25f004a32ea76558564612903cef917c3e5b9 (patch) | |
| tree | 9a4ace98963a49c246c341844625bd13701d0cc1 /tests/fixtures/config/remote-action-modules | |
| parent | 3c73474c0775ad21712c86502096a5ce64e5ac35 (diff) | |
| download | zuul-5ae25f004a32ea76558564612903cef917c3e5b9.tar.gz | |
Prevent local code execution via the raw module3.6.1
The raw module had not been restricted to remote nodes so jobs could
run arbitrary code on the executor.
Change-Id: I1b37eac65ef59ca749f55117a678c38969e86ead
Diffstat (limited to 'tests/fixtures/config/remote-action-modules')
5 files changed, 40 insertions, 0 deletions
diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml new file mode 100644 index 000000000..0768287e9 --- /dev/null +++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-delegate.yaml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - raw-test-delegate diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml new file mode 100644 index 000000000..8c2970229 --- /dev/null +++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/raw-localhost.yaml @@ -0,0 +1,11 @@ +- hosts: localhost + roles: + - raw-test-localhost + +- hosts: 127.0.0.1 + roles: + - raw-test-localhost + +- hosts: "::1" + roles: + - raw-test-localhost diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml new file mode 100644 index 000000000..ccdf9a422 --- /dev/null +++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/main.yaml @@ -0,0 +1,5 @@ +- include: script-delegate.yaml + with_items: + - ::1 + - 127.0.0.1 + - localhost diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml new file mode 100644 index 000000000..339c1b724 --- /dev/null +++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-delegate/tasks/script-delegate.yaml @@ -0,0 +1,11 @@ +- name: Raw + raw: echo 123 + delegate_to: "{{ item }}" + register: result + ignore_errors: true + +- assert: + that: + - "result.failed == true" + - "'Executing local code is prohibited' in result.msg" + msg: Raw must fail due to local code execution restriction diff --git a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml new file mode 100644 index 000000000..5b0f8c68d --- /dev/null +++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/raw-test-localhost/tasks/main.yaml @@ -0,0 +1,10 @@ +- name: Raw + raw: echo 123 + register: result + ignore_errors: true + +- assert: + that: + - "result.failed == true" + - "'Executing local code is prohibited' in result.msg" + msg: Script must fail due to local code execution restriction |