From 0d6d29933e613fe177e9235415919a5428db67bc Mon Sep 17 00:00:00 2001
From: Andrew Parker <andy@puppetlabs.com>
Date: Mon, 2 Apr 2012 11:47:17 -0700
Subject: [PATCH] Fix for bucket_path security vulnerability

This is a fix for Bugs #13553, #13418, #13511. The bucket_path parameter
allowed control over where the filebucket will try to read and write to.
The only place available to stop this parameter is in the resolution
from a URI to an indirectory terminus. The bucket_path is used
internally for local filebuckets and so cannot be removed completely
without a larger change to the design.
---
 lib/puppet/network/http/api/v1.rb     | 1 +
 spec/unit/network/http/api/v1_spec.rb | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/lib/puppet/network/http/api/v1.rb b/lib/puppet/network/http/api/v1.rb
index 852568a5686..ef19fe4874a 100644
--- a/lib/puppet/network/http/api/v1.rb
+++ b/lib/puppet/network/http/api/v1.rb
@@ -31,6 +31,7 @@ def uri2indirection(http_method, uri, params)
     method = indirection_method(http_method, indirection)
 
     params[:environment] = Puppet::Node::Environment.new(environment)
+    params.delete(:bucket_path)
 
     raise ArgumentError, "No request key specified in #{uri}" if key == "" or key.nil?
 
diff --git a/spec/unit/network/http/api/v1_spec.rb b/spec/unit/network/http/api/v1_spec.rb
index 039bccfd526..115f57351c2 100755
--- a/spec/unit/network/http/api/v1_spec.rb
+++ b/spec/unit/network/http/api/v1_spec.rb
@@ -42,6 +42,14 @@ class V1RestApiTester
       @tester.uri2indirection("GET", "/env/foo/bar", {:environment => "otherenv"})[3][:environment].to_s.should == "env"
     end
 
+    it "should not pass a buck_path parameter through (See Bugs #13553, #13518, #13511)" do
+      @tester.uri2indirection("GET", "/env/foo/bar", { :bucket_path => "/malicious/path" })[3].should_not include({ :bucket_path => "/malicious/path" })
+    end
+
+    it "should pass allowed parameters through" do
+      @tester.uri2indirection("GET", "/env/foo/bar", { :allowed_param => "value" })[3].should include({ :allowed_param => "value" })
+    end
+
     it "should return the environment as a Puppet::Node::Environment" do
       @tester.uri2indirection("GET", "/env/foo/bar", {})[3][:environment].should be_a Puppet::Node::Environment
     end