Bug #14635
closed
CVE-2016-3693 - `inspect` in a provisioning template exposes sensitive controller information
Added by Dominic Cleal over 8 years ago.
Updated over 6 years ago.
Description
A provisioning template containing <%= inspect %> will expose sensitive information about the Rails controller and application when rendered when using Safemode rendering (default).
Safemode is initialised with a "delegate" object that is typically the Rails controller. When inspect is called on it, all information about the Rails app is exposed, including routes, secret tokens, caches and so on.
Thanks to Ivan Necas for reporting the security issue to foreman-security@googlegroups.com.
All versions of Foreman are vulnerable, CVE identifier will be requested.
I'd suggest the rendering methods shouldn't be mixed directly into controllers and should instead be in a more isolated object, which would limit the amount of data being exposed.
It may be worth trying to get #inspect removed from safemode's default permitted methods due to its ability to expose instance variables.
- Status changed from New to Assigned
- Assignee set to Ivan Necas
I'd suggest the rendering methods shouldn't be mixed directly into controllers and should instead be in a more isolated object, which would limit the amount of data being exposed.
That would be really awesome, one can get inspiration in remote execution plugin which implements it's own renderer . The only downside is that it would be quite big change for a security fix since it involves both TemplatesController and UnattendedController. So to fix this I'd just disable inspect globally and as a second PR we could refactor rendering.
Marek Hulán wrote:
The only downside is that it would be quite big change for a security fix since it involves both TemplatesController and UnattendedController. So to fix this I'd just disable inspect globally and as a second PR we could refactor rendering.
Yes, I agree. If removing #inspect isn't possible or accepted, then we can just fix this in the next major version with a refactoring.
I looked into possibility to solve this in Foreman, but it's not nice at all: the problem is the inspect is allowed on the Safemode::Blankslate object
and there is not easy way to remove it form there: we would need to override the `inspect` method on the objects that are used by safemode, which
would affect their behaviour even outside of rendering.
Also, the problem is not just with the Safemode::Scope, but also with the Jail objects, where one can see attributes, that were not allowed in safemode.
Removing the inspect from the allowed methods seems like the best thing we can do right now.
safemode v1.2.4 that includes Ivan's fix was released today.
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3430 added
- Subject changed from `inspect` in a provisioning template exposes sensitive controller information to CVE-2016-3693 - `inspect` in a provisioning template exposes sensitive controller information
CVE-2016-3693 has been assigned for this issue.
- Translation missing: en.field_release set to 141
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by Anonymous 
Updated by