(#20584) Add acceptance test for safer yaml handling in request body

This test uses the handling of report data as a proxy for all payload yaml handling. It assumes that if we have safe yaml handling in one endpoint, that the others will also be using the same code paths for deserialization and therefore be patched correctly.
puppetlabs · Feb 27, 2014 · f82f7f7 · f82f7f7
1 parent 0a9bea5
commit f82f7f7
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb b/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb
@@ -0,0 +1,24 @@
+test_name "CVE-2013-3567 Arbitrary YAML Deserialization"
+
+reportdir = master.tmpdir('yaml_deserialization')
+
+dangerous_yaml = "--- !ruby/object:Puppet::Transaction::Report { metrics: { resources: !ruby/object:ERB { src: 'exit 0' } }, logs: [], resource_statuses: [], host: '$(puppet master --configprint certname)' }"
+
+submit_bad_yaml = [
+  "curl -k -X PUT",
+  "--cacert $(puppet master --configprint cacert)",
+  "--cert $(puppet master --configprint hostcert)",
+  "--key $(puppet master --configprint hostprivkey)",
+  "-H 'Content-Type: text/yaml'",
+  "-d \"#{dangerous_yaml}\"",
+  "\"https://#{master}:8140/production/report/$(puppet master --configprint certname)\""
+].join(' ')
+
+with_master_running_on(master, "--reportdir #{reportdir} --reports store --daemonize --dns_alt_names=\"puppet,$(facter hostname),$(facter fqdn)\" --autosign true") do
+  on master, submit_bad_yaml
+  on master, "cat #{reportdir}/$(puppet master --configprint certname)/*" do
+    assert_no_match(/ERB/, stdout, "Improperly propagated ERB object from input into puppet code")
+  end
+end
+
+on master, "rm -rf #{reportdir}"