Bug #20271

Safe mode rendering does not correctly prevent using symbol to proc calls

Added by Tomer Brisker about 1 year ago. Updated 9 days ago.

Status:Closed
Priority:High
Assignee:Tomer Brisker
Category:Security
Target version:1.15.3
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link:1469599 Found in Releases:
Pull request:https://github.com/theforeman/community-templates/pull/411, https://github.com/theforeman/foreman/pull/4659, https://github.com/theforeman/community-templates/pull/407, https://github.com/theforeman/foreman/pull/4669

Description

Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`.
This allows execution of commands that should be blocked by the jail.
A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23
Once it is merged we should update our version of the gem to the latest one.


Related issues

Copied to Katello - Bug #20836: Safe mode rendering does not correctly prevent using symb... Closed 07/11/2017

Associated revisions

Revision feb81111
Added by Tomer Brisker about 1 year ago

Fixes #20271 - update safemode gem

Revision b1b357cf
Added by Tomer Brisker about 1 year ago

Fixes #20271 - update safemode gem

Revision 4b740d96
Added by Tomer Brisker about 1 year ago

Fixes #20271 - update safemode gem

(cherry picked from commit feb811114bca02dd746f7b275fbf04715b43376f)

Revision 760f3a28
Added by Marek Hulán about 1 year ago

Refs #20271 - remove to_proc syntax

History

#1 Updated by Marek Hulán about 1 year ago

  • Category changed from Templates to Security

#2 Updated by Marek Hulán about 1 year ago

This should be probably cherry-picked to all supported Foreman versions.

#3 Updated by Tomer Brisker about 1 year ago

  • Bugzilla link set to 1469599

#4 Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Assignee set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/4659 added

#5 Updated by Daniel Lobato Garcia about 1 year ago

  • Legacy Backlogs Release (now unused) set to 276

#6 Updated by Anonymous about 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Alex Fisher about 1 year ago

This possibly should be reopened until https://github.com/theforeman/community-templates/issues/406 is resolved.

#8 Updated by Daniel Lobato Garcia about 1 year ago

The fix is fine, on nightly it prevents using &: . The linked GH issue with templates not being 'aware' of this fix is a different thing.

#9 Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/community-templates/pull/407 added

#10 Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman/pull/4669 added

#11 Updated by The Foreman Bot 11 months ago

  • Pull request https://github.com/theforeman/community-templates/pull/411 added

#12 Updated by Marek Hulán 11 months ago

  • Copied to Bug #20836: Safe mode rendering does not correctly prevent using symbol to proc calls added

Also available in: Atom PDF