Bug 1469599 - Safe mode rendering does not correctly prevent using symbol to proc calls
Safe mode rendering does not correctly prevent using symbol to proc calls
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security (Show other bugs)
Unspecified Unspecified
high Severity high (vote)
: GA
: --
Assigned To: Tomer Brisker
Kedar Bidarkar
: Security, Triaged
Depends On:
  Show dependency treegraph
Reported: 2017-07-11 10:22 EDT by Tomer Brisker
Modified: 2018-02-21 11:54 EST (History)
7 users (show)

See Also:
Fixed In Version: foreman-1.15.3
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-02-21 11:54:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 20271 None None None 2017-07-11 10:22 EDT
Foreman Issue Tracker 20836 None None None 2017-09-21 09:32 EDT

  None (edit)
Description Tomer Brisker 2017-07-11 10:22:33 EDT
Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`. 
This allows execution of commands that should be blocked by the jail.
A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23
Once it is merged we should update our version of the gem to the latest one.
Comment 1 Tomer Brisker 2017-07-11 10:22:39 EDT
Created from redmine issue http://projects.theforeman.org/issues/20271
Comment 3 pm-sat@redhat.com 2017-07-11 12:10:34 EDT
Upstream bug assigned to tbrisker@redhat.com
Comment 4 pm-sat@redhat.com 2017-07-11 12:10:37 EDT
Upstream bug assigned to tbrisker@redhat.com
Comment 5 pm-sat@redhat.com 2017-07-11 14:10:37 EDT
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20271 has been resolved.
Comment 6 Kedar Bidarkar 2018-01-29 08:43:01 EST
Please suggest how exactly should I be testing this?
 It appears that I need to test the safe mode rendering of provisioning templates, but not sure what exactly needs/should be tested here.
Comment 7 Tomer Brisker 2018-01-29 08:54:57 EST
First, ensure that `safemode rendering` under settings->provisioning is set to true.
Check that none of the pre-seeded templates (provision, partition table, or job) contains symbol-to-proc syntax. You can do this by searching for the string "(&:" including the quotes. There should be no matching results.

Next, create a template that contains something like:

<%= @host.interfaces.each(&:id) %>

Then click on the "Preview" button. You should see an error message stating something like "Safemode doesn't allow to access 'block_pass' on &:id".
Comment 8 Kedar Bidarkar 2018-01-30 04:19:28 EST
Ensured  "Safemode rendering" set to True.

Checked most of the pres-seed templates and they do not contain "symbol-to-proc" syntax.

Next, cloned and added "<%= @host.interfaces.each(&:id) %>" to a provisioning template.

Upon clicking the "Preview" Button, see an error message with the below message.

"Warning! There was an error rendering the Satellite Kickstart Default Cloned template: Safemode doesn't allow to access 'block_pass' on &:id"

VERIFIED with Sat6.3.0-snap32.0
Comment 9 pm-sat@redhat.com 2018-02-21 11:54:17 EST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> For information on the advisory, and where to find the updated files, follow the link below.
> If the solution does not work for you, open a new bug report.
> https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.