Bug #10469

Auto provision rule does not enforce host group association to org/location

Added by Dominic Cleal over 2 years ago. Updated over 2 years ago.

Status:Closed
Priority:Normal
Assigned To:Lukas Zapletal
Category:Discovery plugin
Target version:-
Difficulty: Pull request:https://github.com/theforeman/foreman_discovery/pull/202
Bugzilla link:
Story points-
Velocity based estimate-

Description

This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version.


Steps to reproduce:
  1. log in with a user that has 2 locations (A, B)
  2. discover a host and make sure it is connected to location B
  3. create a hostgroup in location A
  4. create a discovery rule in location B to match the discovered host and use the hostgroup from 3
  5. log in with a user with permissions to location B only
  6. you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
  7. auto provision the discovered host
  8. go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for

The rule creation should enforce that the selected host group is in the same org/location as the rule itself.

Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.


Related issues

Related to Discovery - Bug #9881: Discovery rules are not connected to taxonomies Closed 03/24/2015

Associated revisions

Revision 5cb015eb
Added by Lukas Zapletal over 2 years ago

Fixes #10469 - enforced discovery rule taxonomy

History

#1 Updated by Dominic Cleal over 2 years ago

  • Description updated (diff)

#2 Updated by Dominic Cleal over 2 years ago

  • Subject changed from Auto provision rule does not enforce host group association to org/location to CVE-2015-3199 - Auto provision rule does not enforce host group association to org/location
  • Description updated (diff)

#3 Updated by Dominic Cleal over 2 years ago

Given #9881's not even in Discovery 2.x or 3.0.0, does this actually affect any released software? AFAICT, it doesn't.

#4 Updated by Lukas Zapletal over 2 years ago

I can confirm this was not yet released:

g branch -r --contains 47ecc19a26809dabca37aa8d43231aebde4351dc | grep origin
origin/HEAD -> origin/develop
origin/develop

#5 Updated by Lukas Zapletal over 2 years ago

  • Related to Bug #9881: Discovery rules are not connected to taxonomies added

#6 Updated by Lukas Zapletal over 2 years ago

  • Subject changed from CVE-2015-3199 - Auto provision rule does not enforce host group association to org/location to Auto provision rule does not enforce host group association to org/location
  • Description updated (diff)

Updated subject and description.

#7 Updated by Lukas Zapletal over 2 years ago

  • Status changed from New to Assigned
  • Assigned To set to Lukas Zapletal

#8 Updated by The Foreman Bot over 2 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman_discovery/pull/202 added

#9 Updated by Anonymous over 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF