Bug 1469599

Summary:	Safe mode rendering does not correctly prevent using symbol to proc calls
Product:	Red Hat Satellite	Reporter:	Tomer Brisker <tbrisker>
Component:	Security	Assignee:	Tomer Brisker <tbrisker>
Status:	CLOSED ERRATA	QA Contact:	Kedar Bidarkar <kbidarka>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.2.0	CC:	bbuckingham, ehelms, jcallaha, kbidarka, lzap, mhulan, tbrisker
Target Milestone:	Unspecified	Keywords:	Security, Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	foreman-1.15.3	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-02-21 16:54:17 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Tomer Brisker 2017-07-11 14:22:33 UTC

Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`. 
This allows execution of commands that should be blocked by the jail.
A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23
Once it is merged we should update our version of the gem to the latest one.

Comment 1 Tomer Brisker 2017-07-11 14:22:39 UTC

Created from redmine issue http://projects.theforeman.org/issues/20271

Comment 3 Satellite Program 2017-07-11 16:10:34 UTC

Upstream bug assigned to tbrisker

Comment 4 Satellite Program 2017-07-11 16:10:37 UTC

Upstream bug assigned to tbrisker

Comment 5 Satellite Program 2017-07-11 18:10:37 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20271 has been resolved.

Comment 6 Kedar Bidarkar 2018-01-29 13:43:01 UTC

Please suggest how exactly should I be testing this?
 It appears that I need to test the safe mode rendering of provisioning templates, but not sure what exactly needs/should be tested here.

Comment 7 Tomer Brisker 2018-01-29 13:54:57 UTC

First, ensure that `safemode rendering` under settings->provisioning is set to true.
Check that none of the pre-seeded templates (provision, partition table, or job) contains symbol-to-proc syntax. You can do this by searching for the string "(&:" including the quotes. There should be no matching results.

Next, create a template that contains something like:

<%= @host.interfaces.each(&:id) %>

Then click on the "Preview" button. You should see an error message stating something like "Safemode doesn't allow to access 'block_pass' on &:id".

Comment 8 Kedar Bidarkar 2018-01-30 09:19:28 UTC

Ensured  "Safemode rendering" set to True.

Checked most of the pres-seed templates and they do not contain "symbol-to-proc" syntax.

Next, cloned and added "<%= @host.interfaces.each(&:id) %>" to a provisioning template.

Upon clicking the "Preview" Button, see an error message with the below message.


"Warning! There was an error rendering the Satellite Kickstart Default Cloned template: Safemode doesn't allow to access 'block_pass' on &:id"

VERIFIED with Sat6.3.0-snap32.0

Comment 9 Satellite Program 2018-02-21 16:54:17 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336