Bug #14635
closed
CVE-2016-3693 - `inspect` in a provisioning template exposes sensitive controller information
Description
A provisioning template containing <%= inspect %> will expose sensitive information about the Rails controller and application when rendered when using Safemode rendering (default).
Safemode is initialised with a "delegate" object that is typically the Rails controller. When inspect is called on it, all information about the Rails app is exposed, including routes, secret tokens, caches and so on.
Thanks to Ivan Necas for reporting the security issue to foreman-security@googlegroups.com.
All versions of Foreman are vulnerable, CVE identifier will be requested.
Updated by Dominic Cleal over 8 years ago
I'd suggest the rendering methods shouldn't be mixed directly into controllers and should instead be in a more isolated object, which would limit the amount of data being exposed.
It may be worth trying to get #inspect removed from safemode's default permitted methods due to its ability to expose instance variables.
Updated by Ivan Necas over 8 years ago
- Status changed from New to Assigned
- Assignee set to Ivan Necas
Updated by Marek Hulán over 8 years ago
I'd suggest the rendering methods shouldn't be mixed directly into controllers and should instead be in a more isolated object, which would limit the amount of data being exposed.
That would be really awesome, one can get inspiration in remote execution plugin which implements it's own renderer . The only downside is that it would be quite big change for a security fix since it involves both TemplatesController and UnattendedController. So to fix this I'd just disable inspect globally and as a second PR we could refactor rendering.
Updated by Dominic Cleal over 8 years ago
Marek Hulán wrote:
The only downside is that it would be quite big change for a security fix since it involves both TemplatesController and UnattendedController. So to fix this I'd just disable inspect globally and as a second PR we could refactor rendering.
Yes, I agree. If removing #inspect isn't possible or accepted, then we can just fix this in the next major version with a refactoring.
Updated by Ivan Necas over 8 years ago
I looked into possibility to solve this in Foreman, but it's not nice at all: the problem is the inspect is allowed on the Safemode::Blankslate object
and there is not easy way to remove it form there: we would need to override the `inspect` method on the objects that are used by safemode, which
would affect their behaviour even outside of rendering.
Also, the problem is not just with the Safemode::Scope, but also with the Jail objects, where one can see attributes, that were not allowed in safemode.
Removing the inspect from the allowed methods seems like the best thing we can do right now.
Updated by Ivan Necas over 8 years ago
I've opened a PR against safemode to address the issue https://github.com/svenfuchs/safemode/pull/17
Updated by Anonymous over 8 years ago
safemode v1.2.4 that includes Ivan's fix was released today.
Updated by The Foreman Bot over 8 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3430 added
Updated by Dominic Cleal over 8 years ago
- Subject changed from `inspect` in a provisioning template exposes sensitive controller information to CVE-2016-3693 - `inspect` in a provisioning template exposes sensitive controller information
CVE-2016-3693 has been assigned for this issue.
Updated by Dominic Cleal over 8 years ago
- Translation missing: en.field_release set to 141
Updated by Ivan Necas over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 82f9b93c54f72c5814df6bab7fad057eab65b2f2.