Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`. This allows execution of commands that should be blocked by the jail. A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23 Once it is merged we should update our version of the gem to the latest one.
Created from redmine issue http://projects.theforeman.org/issues/20271
Upstream bug assigned to tbrisker
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20271 has been resolved.
Please suggest how exactly should I be testing this? It appears that I need to test the safe mode rendering of provisioning templates, but not sure what exactly needs/should be tested here.
First, ensure that `safemode rendering` under settings->provisioning is set to true. Check that none of the pre-seeded templates (provision, partition table, or job) contains symbol-to-proc syntax. You can do this by searching for the string "(&:" including the quotes. There should be no matching results. Next, create a template that contains something like: <%= @host.interfaces.each(&:id) %> Then click on the "Preview" button. You should see an error message stating something like "Safemode doesn't allow to access 'block_pass' on &:id".
Ensured "Safemode rendering" set to True. Checked most of the pres-seed templates and they do not contain "symbol-to-proc" syntax. Next, cloned and added "<%= @host.interfaces.each(&:id) %>" to a provisioning template. Upon clicking the "Preview" Button, see an error message with the below message. "Warning! There was an error rendering the Satellite Kickstart Default Cloned template: Safemode doesn't allow to access 'block_pass' on &:id" VERIFIED with Sat6.3.0-snap32.0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. > > For information on the advisory, and where to find the updated files, follow the link below. > > If the solution does not work for you, open a new bug report. > > https://access.redhat.com/errata/RHSA-2018:0336