From f82f7f7fbd1cfe6cf25c2997f71cc0dfd236d283 Mon Sep 17 00:00:00 2001 From: Patrick Carlisle Date: Fri, 24 May 2013 15:34:17 -0700 Subject: [PATCH] (#20584) Add acceptance test for safer yaml handling in request body This test uses the handling of report data as a proxy for all payload yaml handling. It assumes that if we have safe yaml handling in one endpoint, that the others will also be using the same code paths for deserialization and therefore be patched correctly. --- ...ve-2013-3567_yaml_deserialization_again.rb | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb diff --git a/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb b/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb new file mode 100644 index 00000000000..a6c9232c024 --- /dev/null +++ b/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb @@ -0,0 +1,24 @@ +test_name "CVE-2013-3567 Arbitrary YAML Deserialization" + +reportdir = master.tmpdir('yaml_deserialization') + +dangerous_yaml = "--- !ruby/object:Puppet::Transaction::Report { metrics: { resources: !ruby/object:ERB { src: 'exit 0' } }, logs: [], resource_statuses: [], host: '$(puppet master --configprint certname)' }" + +submit_bad_yaml = [ + "curl -k -X PUT", + "--cacert $(puppet master --configprint cacert)", + "--cert $(puppet master --configprint hostcert)", + "--key $(puppet master --configprint hostprivkey)", + "-H 'Content-Type: text/yaml'", + "-d \"#{dangerous_yaml}\"", + "\"https://#{master}:8140/production/report/$(puppet master --configprint certname)\"" +].join(' ') + +with_master_running_on(master, "--reportdir #{reportdir} --reports store --daemonize --dns_alt_names=\"puppet,$(facter hostname),$(facter fqdn)\" --autosign true") do + on master, submit_bad_yaml + on master, "cat #{reportdir}/$(puppet master --configprint certname)/*" do + assert_no_match(/ERB/, stdout, "Improperly propagated ERB object from input into puppet code") + end +end + +on master, "rm -rf #{reportdir}"