Bug #20271
Safe mode rendering does not correctly prevent using symbol to proc calls
Description
Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`.
This allows execution of commands that should be blocked by the jail.
A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23
Once it is merged we should update our version of the gem to the latest one.
Related issues
Associated revisions
Fixes #20271 - update safemode gem
Fixes #20271 - update safemode gem
(cherry picked from commit feb811114bca02dd746f7b275fbf04715b43376f)
Refs #20271 - remove to_proc syntax
History
#1
Updated by Marek Hulán over 5 years ago
- Category changed from Templates to Security
#2
Updated by Marek Hulán over 5 years ago
This should be probably cherry-picked to all supported Foreman versions.
#3
Updated by Tomer Brisker over 5 years ago
- Bugzilla link set to 1469599
#4
Updated by The Foreman Bot over 5 years ago
- Status changed from New to Ready For Testing
- Assignee set to Tomer Brisker
- Pull request https://github.com/theforeman/foreman/pull/4659 added
#5
Updated by Daniel Lobato Garcia over 5 years ago
- Legacy Backlogs Release (now unused) set to 276
#6
Updated by Anonymous over 5 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset feb811114bca02dd746f7b275fbf04715b43376f.
#7
Updated by Alex Fisher over 5 years ago
This possibly should be reopened until https://github.com/theforeman/community-templates/issues/406 is resolved.
#8
Updated by Daniel Lobato Garcia over 5 years ago
The fix is fine, on nightly it prevents using &: . The linked GH issue with templates not being 'aware' of this fix is a different thing.
#9
Updated by The Foreman Bot over 5 years ago
- Pull request https://github.com/theforeman/community-templates/pull/407 added
#10
Updated by The Foreman Bot over 5 years ago
- Pull request https://github.com/theforeman/foreman/pull/4669 added
#11
Updated by The Foreman Bot over 5 years ago
- Pull request https://github.com/theforeman/community-templates/pull/411 added
#12
Updated by Marek Hulán over 5 years ago
- Copied to Bug #20836: Safe mode rendering does not correctly prevent using symbol to proc calls added
Fixes #20271 - update safemode gem