From febb20e1210a2d5415c8320ec4676e29bb8b364f Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Wed, 20 Sep 2023 09:39:46 +0200 Subject: [PATCH] Fixes #36759 - only call allowed transpilers CVE-2022-3874: OS command injection via ct_command and fcct_command Instead of allowing to call *any* command by changing a setting, only allow specific paths to ct/fcct. If the user needs a different path, they can set it via settings.yaml. --- .../foreman/settings/provisioning.rb | 31 ++++++++++++++----- .../renderer/scope/macros/transpilers.rb | 6 ++-- ...093000_move_ct_command_into_own_setting.rb | 24 ++++++++++++++ 3 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 db/migrate/20230920093000_move_ct_command_into_own_setting.rb diff --git a/app/registries/foreman/settings/provisioning.rb b/app/registries/foreman/settings/provisioning.rb index 2be758bb8bad..81bef8f63539 100644 --- a/app/registries/foreman/settings/provisioning.rb +++ b/app/registries/foreman/settings/provisioning.rb @@ -2,6 +2,9 @@ Foreman::SettingManager.define(:foreman) do category(:provisioning, N_('Provisioning')) do + CT_LOCATIONS = %w(/usr/bin/ct /usr/local/bin/ct) + FCCT_LOCATIONS = %w(/usr/bin/fcct /usr/local/bin/fcct) + owner_select = proc do [{:name => _("Users"), :class => 'user', :scope => 'visible', :value_method => 'id_and_type', :text_method => 'login'}, {:name => _("Usergroups"), :class => 'usergroup', :scope => 'visible', :value_method => 'id_and_type', :text_method => 'name'}] @@ -119,16 +122,28 @@ description: N_("Default 'Host initial configuration' template, automatically assigned when a new operating system is created"), default: 'Linux host_init_config default', full_name: N_("Default 'Host initial configuration' template")) - setting('ct_command', + setting('ct_location', + type: :string, + description: N_("Full path to CoreOS transpiler (ct)"), + default: CT_LOCATIONS.first + full_name: N_("CoreOS Transpiler Command"), + collection: proc { CT_LOCATIONS.zip(CT_LOCATIONS).to_h }) + setting('ct_arguments', type: :array, - description: N_("Full path to CoreOS transpiler (ct) with arguments as an comma-separated array"), - default: [which('ct'), '--pretty', '--files-dir', Rails.root.join('config', 'ct').to_s], - full_name: N_("CoreOS Transpiler Command")) - setting('fcct_command', + description: N_("CoreOS transpiler (ct) arguments as an comma-separated array"), + default: ['--pretty', '--files-dir', Rails.root.join('config', 'ct').to_s], + full_name: N_("CoreOS Transpiler Command Arguments")) + setting('fcct_location', + type: :string, + description: N_("Full path to Fedora CoreOS transpiler (fcct)"), + default: FCCT_LOCATIONS.first, + full_name: N_("Fedora CoreOS Transpiler Command"), + collection: proc { FCCT_LOCATIONS.zip(FCCT_LOCATIONS).to_h }) + setting('fcct_arguments', type: :array, - description: N_("Full path to Fedora CoreOS transpiler (fcct) with arguments as an comma-separated array"), - default: [which('fcct'), '--pretty', '--files-dir', Rails.root.join('config', 'ct').to_s], - full_name: N_("Fedora CoreOS Transpiler Command")) + description: N_("Fedora CoreOS transpiler (fcct) arguments as an comma-separated array"), + default: ['--pretty', '--files-dir', Rails.root.join('config', 'ct').to_s], + full_name: N_("Fedora CoreOS Transpiler Command Arguments")) # We have following loop twice to keep the historical order. # TODO: First resolve the correct order and then optimize this loop. diff --git a/app/services/foreman/renderer/scope/macros/transpilers.rb b/app/services/foreman/renderer/scope/macros/transpilers.rb index 3682842debba..8d808f77ce83 100644 --- a/app/services/foreman/renderer/scope/macros/transpilers.rb +++ b/app/services/foreman/renderer/scope/macros/transpilers.rb @@ -15,7 +15,8 @@ module Transpilers end def transpile_coreos_linux_config(input, validate_input = true, validate_output = false) YAML.safe_load(input) if validate_input - result = Foreman::CommandRunner.new(Setting[:ct_command], input).run! + ct_command = [Setting[:ct_location]] + Setting[:ct_arguments] + result = Foreman::CommandRunner.new(ct_command, input).run! JSON.parse(result) if validate_output result end @@ -29,7 +30,8 @@ def transpile_coreos_linux_config(input, validate_input = true, validate_output example "transpile_coreos_linux_config(\"---\\nyaml: blah\") #=> JSON" end def transpile_fedora_coreos_config(input) - Foreman::CommandRunner.new(Setting[:fcct_command], input).run! + fcct_command = [Setting[:fcct_location]] + Setting[:fcct_arguments] + Foreman::CommandRunner.new(fcct_command, input).run! end end end diff --git a/db/migrate/20230920093000_move_ct_command_into_own_setting.rb b/db/migrate/20230920093000_move_ct_command_into_own_setting.rb new file mode 100644 index 000000000000..09ddd4ce96c9 --- /dev/null +++ b/db/migrate/20230920093000_move_ct_command_into_own_setting.rb @@ -0,0 +1,24 @@ +class MoveCtCommandIntoOwnSetting < ActiveRecord::Migration[6.1] + def up + ['ct', 'fcct'].each do |setting_prefix| + setting = Setting.where(name: "#{setting_prefix}_command") + if setting + setting.value = setting.value[1..] + setting.name = "#{setting_prefix}_arguments" + setting.save + end + end + end + + def down + ['ct', 'fcct'].each do |setting_prefix| + setting = Setting.where(name: "#{setting_prefix}_arguments") + if setting + setting.value = ["/usr/bin/#{setting_prefix}"] + setting.value + setting.name = "#{setting_prefix}_command" + setting.save + end + end + end +end +