Skip to content

Commit

Permalink
fqdn_rotate: Don't use the value itself as part of the random seed
Browse files Browse the repository at this point in the history
Previously, the random number generator was seeded with the array or
string to be rotated in addition to any values specifically provided for
seeding. This behavior is potentially insecure in that it allows an
attacker who can modify the source data to choose the post-shuffle
order.
  • Loading branch information
elyscape committed Jun 1, 2015
1 parent a383705 commit 601f681
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 7 deletions.
2 changes: 1 addition & 1 deletion lib/puppet/parser/functions/fqdn_rotate.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ module Puppet::Parser::Functions
raise(Puppet::ParseError, "fqdn_rotate(): Wrong number of arguments " +
"given (#{arguments.size} for 1)") if arguments.size < 1

value = arguments[0]
value = arguments.shift
require 'digest/md5'

unless value.is_a?(Array) || value.is_a?(String)
Expand Down
2 changes: 1 addition & 1 deletion spec/acceptance/fqdn_rotate_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
EOS

apply_manifest(pp, :catch_failures => true) do |r|
expect(r.stdout).to match(/fqdn_rotate is \["c", "d", "a", "b"\]/)
expect(r.stdout).to match(/fqdn_rotate is \["d", "a", "b", "c"\]/)
end
end
end
Expand Down
6 changes: 1 addition & 5 deletions spec/functions/fqdn_rotate_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,6 @@
it { is_expected.to run.with_params().and_raise_error(Puppet::ParseError, /wrong number of arguments/i) }
it { is_expected.to run.with_params(0).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
it { is_expected.to run.with_params({}).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
it {
pending("Current implementation ignores parameters after the first.")
is_expected.to run.with_params("one", "two").and_raise_error(Puppet::ParseError)
}
it { is_expected.to run.with_params('').and_return('') }
it { is_expected.to run.with_params('a').and_return('a') }

Expand Down Expand Up @@ -38,7 +34,7 @@

it "should use the Puppet::Util.deterministic_rand function" do
if Puppet::Util.respond_to?(:deterministic_rand)
Puppet::Util.expects(:deterministic_rand).with(113646079810780526294648115052177588845,4)
Puppet::Util.expects(:deterministic_rand).with(44489829212339698569024999901561968770,4)
fqdn_rotate("asdf")
else
skip 'Puppet::Util#deterministic_rand not available'
Expand Down

0 comments on commit 601f681

Please sign in to comment.