Project

General

Profile

Actions

Bug #14635

closed

CVE-2016-3693 - `inspect` in a provisioning template exposes sensitive controller information

Added by Dominic Cleal almost 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

A provisioning template containing <%= inspect %> will expose sensitive information about the Rails controller and application when rendered when using Safemode rendering (default).

Safemode is initialised with a "delegate" object that is typically the Rails controller. When inspect is called on it, all information about the Rails app is exposed, including routes, secret tokens, caches and so on.

Thanks to Ivan Necas for reporting the security issue to .

All versions of Foreman are vulnerable, CVE identifier will be requested.

Actions #1

Updated by Dominic Cleal almost 8 years ago

I'd suggest the rendering methods shouldn't be mixed directly into controllers and should instead be in a more isolated object, which would limit the amount of data being exposed.

It may be worth trying to get #inspect removed from safemode's default permitted methods due to its ability to expose instance variables.

Actions #2

Updated by Ivan Necas almost 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Ivan Necas
Actions #3

Updated by Marek Hulán almost 8 years ago

I'd suggest the rendering methods shouldn't be mixed directly into controllers and should instead be in a more isolated object, which would limit the amount of data being exposed.

That would be really awesome, one can get inspiration in remote execution plugin which implements it's own renderer . The only downside is that it would be quite big change for a security fix since it involves both TemplatesController and UnattendedController. So to fix this I'd just disable inspect globally and as a second PR we could refactor rendering.

Actions #4

Updated by Dominic Cleal almost 8 years ago

Marek Hulán wrote:

The only downside is that it would be quite big change for a security fix since it involves both TemplatesController and UnattendedController. So to fix this I'd just disable inspect globally and as a second PR we could refactor rendering.

Yes, I agree. If removing #inspect isn't possible or accepted, then we can just fix this in the next major version with a refactoring.

Actions #5

Updated by Ivan Necas almost 8 years ago

I looked into possibility to solve this in Foreman, but it's not nice at all: the problem is the inspect is allowed on the Safemode::Blankslate object
and there is not easy way to remove it form there: we would need to override the `inspect` method on the objects that are used by safemode, which
would affect their behaviour even outside of rendering.

Also, the problem is not just with the Safemode::Scope, but also with the Jail objects, where one can see attributes, that were not allowed in safemode.

Removing the inspect from the allowed methods seems like the best thing we can do right now.

Actions #6

Updated by Ivan Necas almost 8 years ago

I've opened a PR against safemode to address the issue https://github.com/svenfuchs/safemode/pull/17

Actions #7

Updated by Anonymous almost 8 years ago

safemode v1.2.4 that includes Ivan's fix was released today.

Actions #8

Updated by The Foreman Bot almost 8 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3430 added
Actions #9

Updated by Dominic Cleal almost 8 years ago

  • Subject changed from `inspect` in a provisioning template exposes sensitive controller information to CVE-2016-3693 - `inspect` in a provisioning template exposes sensitive controller information

CVE-2016-3693 has been assigned for this issue.

Actions #10

Updated by Dominic Cleal almost 8 years ago

  • translation missing: en.field_release set to 141
Actions #11

Updated by Ivan Necas almost 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF