Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent RCE via inventory plugins #815

Merged
merged 3 commits into from
Mar 14, 2024

Conversation

felixfontein
Copy link
Collaborator

SUMMARY

Fixing a potential RCE when using the inventory plugins.

Ref: https://www.die-welt.net/2024/03/remote-code-execution-in-ansible-dynamic-inventory-plugins/
Ref: https://forum.ansible.com/t/remote-code-execution-in-ansible-dynamic-inventory-plugins/4332/3

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

inventory plugins

@felixfontein
Copy link
Collaborator Author

TIL: don't make ansible_connection unsafe. Some versions of ansible-core won't like it.

@felixfontein
Copy link
Collaborator Author

(In this case it's OK anyway since that variable is set to a fixed string. So nothing nefarious can happen this way.)

@felixfontein felixfontein merged commit bf1281a into ansible-collections:main Mar 14, 2024
123 checks passed
Copy link
Contributor

patchback bot commented Mar 14, 2024

Backport to stable-2: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply bf1281a on top of patchback/backports/stable-2/bf1281ae7fd7ce41ecaec2ca05c5b54d913d4298/pr-815

Backporting merged PR #815 into main

  1. Ensure you have a local repo clone of your fork. Unless you cloned it
    from the upstream, this would be your origin remote.
  2. Make sure you have an upstream repo added as a remote too. In these
    instructions you'll refer to it by the name upstream. If you don't
    have it, here's how you can add it:
    $ git remote add upstream https://github.com/ansible-collections/community.docker.git
  3. Ensure you have the latest copy of upstream and prepare a branch
    that will hold the backported code:
    $ git fetch upstream
    $ git checkout -b patchback/backports/stable-2/bf1281ae7fd7ce41ecaec2ca05c5b54d913d4298/pr-815 upstream/stable-2
  4. Now, cherry-pick PR Prevent RCE via inventory plugins #815 contents into that branch:
    $ git cherry-pick -x bf1281ae7fd7ce41ecaec2ca05c5b54d913d4298
    If it'll yell at you with something like fatal: Commit bf1281ae7fd7ce41ecaec2ca05c5b54d913d4298 is a merge but no -m option was given., add -m 1 as follows instead:
    $ git cherry-pick -m1 -x bf1281ae7fd7ce41ecaec2ca05c5b54d913d4298
  5. At this point, you'll probably encounter some merge conflicts. You must
    resolve them in to preserve the patch from PR Prevent RCE via inventory plugins #815 as close to the
    original as possible.
  6. Push this branch to your fork on GitHub:
    $ git push origin patchback/backports/stable-2/bf1281ae7fd7ce41ecaec2ca05c5b54d913d4298/pr-815
  7. Create a PR, ensure that the CI is green. If it's not — update it so that
    the tests and any other checks pass. This is it!
    Now relax and wait for the maintainers to process your pull request
    when they have some cycles to do reviews. Don't worry — they'll tell you if
    any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

@felixfontein felixfontein deleted the rce branch March 14, 2024 19:08
@felixfontein
Copy link
Collaborator Author

@markuman thanks again for reviewing this!

felixfontein added a commit to felixfontein/community.docker that referenced this pull request Mar 14, 2024
* Prevent RCE via inventory plugins.

* Do not make ansible_connection unsafe.

* Add test.

(cherry picked from commit bf1281a)
felixfontein added a commit to felixfontein/community.docker that referenced this pull request Mar 14, 2024
* Prevent RCE via inventory plugins.

* Do not make ansible_connection unsafe.

* Add test.

(cherry picked from commit bf1281a)
felixfontein added a commit that referenced this pull request Mar 14, 2024
* Prevent RCE via inventory plugins.

* Do not make ansible_connection unsafe.

* Add test.

(cherry picked from commit bf1281a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants