Bug 1469599
Summary: | Safe mode rendering does not correctly prevent using symbol to proc calls | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Tomer Brisker <tbrisker> |
Component: | Security | Assignee: | Tomer Brisker <tbrisker> |
Status: | CLOSED ERRATA | QA Contact: | Kedar Bidarkar <kbidarka> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.2.0 | CC: | bbuckingham, ehelms, jcallaha, kbidarka, lzap, mhulan, tbrisker |
Target Milestone: | Unspecified | Keywords: | Security, Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | foreman-1.15.3 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-21 16:54:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomer Brisker
2017-07-11 14:22:33 UTC
Created from redmine issue http://projects.theforeman.org/issues/20271 Upstream bug assigned to tbrisker Upstream bug assigned to tbrisker Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20271 has been resolved. Please suggest how exactly should I be testing this? It appears that I need to test the safe mode rendering of provisioning templates, but not sure what exactly needs/should be tested here. First, ensure that `safemode rendering` under settings->provisioning is set to true. Check that none of the pre-seeded templates (provision, partition table, or job) contains symbol-to-proc syntax. You can do this by searching for the string "(&:" including the quotes. There should be no matching results. Next, create a template that contains something like: <%= @host.interfaces.each(&:id) %> Then click on the "Preview" button. You should see an error message stating something like "Safemode doesn't allow to access 'block_pass' on &:id". Ensured "Safemode rendering" set to True. Checked most of the pres-seed templates and they do not contain "symbol-to-proc" syntax. Next, cloned and added "<%= @host.interfaces.each(&:id) %>" to a provisioning template. Upon clicking the "Preview" Button, see an error message with the below message. "Warning! There was an error rendering the Satellite Kickstart Default Cloned template: Safemode doesn't allow to access 'block_pass' on &:id" VERIFIED with Sat6.3.0-snap32.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
>
> For information on the advisory, and where to find the updated files, follow the link below.
>
> If the solution does not work for you, open a new bug report.
>
> https://access.redhat.com/errata/RHSA-2018:0336
|