From 911e3f156d7ff53fbda6ff71bba832db8d8566aa Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Fri, 27 Sep 2013 16:43:43 +0100 Subject: [PATCH] fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-4386) --- app/models/host_common.rb | 2 +- test/fixtures/lookup_keys.yml | 2 +- test/unit/hostgroup_test.rb | 16 +++++++++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/app/models/host_common.rb b/app/models/host_common.rb index 74f40af..6cb531b 100644 --- a/app/models/host_common.rb +++ b/app/models/host_common.rb @@ -17,7 +17,7 @@ module HostCommon belongs_to :subnet before_save :check_puppet_ca_proxy_is_required? - has_many :lookup_values, :finder_sql => Proc.new { %Q{ SELECT lookup_values.* FROM lookup_values WHERE (lookup_values.match = '#{lookup_value_match}') } }, :dependent => :destroy + has_many :lookup_values, :finder_sql => Proc.new { LookupValue.where('lookup_values.match' => lookup_value_match).to_sql }, :dependent => :destroy # See "def lookup_values_attributes=" under, for the implementation of accepts_nested_attributes_for :lookup_values accepts_nested_attributes_for :lookup_values diff --git a/test/fixtures/lookup_keys.yml b/test/fixtures/lookup_keys.yml index 690083d..6f61ef3 100644 --- a/test/fixtures/lookup_keys.yml +++ b/test/fixtures/lookup_keys.yml @@ -9,7 +9,7 @@ one: two: key: ssl_port - key_type: integer + key_type: string validator_type: list validator_rule: '443,8443' puppetclass: one diff --git a/test/unit/hostgroup_test.rb b/test/unit/hostgroup_test.rb index 53cb222..3195222 100644 --- a/test/unit/hostgroup_test.rb +++ b/test/unit/hostgroup_test.rb @@ -176,4 +176,18 @@ class HostgroupTest < ActiveSupport::TestCase assert_equal "db", hostgroup.label end -end \ No newline at end of file + test "should find associated lookup_values" do + assert_equal [lookup_values(:hostgroupcommon)], hostgroups(:common).lookup_values.sort + end + + test "should find associated lookup_values with unsafe SQL name" do + hostgroup = hostgroups(:common) + hostgroup.name = "Robert';" + hostgroup.save! + lv = lookup_values(:hostgroupcommon) + lv.match = "hostgroup=#{hostgroup.name}" + lv.save! + assert_equal [lookup_values(:hostgroupcommon)], hostgroup.lookup_values + end + +end -- 1.8.3.1