Skip to content

Commit

Permalink
Fix for bucket_path security vulnerability
Browse files Browse the repository at this point in the history
This is a fix for Bugs #13553, #13418, #13511. The bucket_path parameter
allowed control over where the filebucket will try to read and write to.
The only place available to stop this parameter is in the resolution
from a URI to an indirectory terminus. The bucket_path is used
internally for local filebuckets and so cannot be removed completely
without a larger change to the design.

Conflicts:

	lib/puppet/network/http/api/v1.rb
	spec/unit/network/http/api/v1_spec.rb

Conflicts resolved by modifying the patch to fit the use of
Puppet::Indirector::Request in the code.
  • Loading branch information
zaphod42 committed Apr 2, 2012
1 parent 6bef2e6 commit 568ded5
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/puppet/network/http/api/v1.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ def uri2indirection(http_method, uri, params)
method = indirection_method(http_method, indirection)

params[:environment] = environment
params.delete(:bucket_path)

raise ArgumentError, "No request key specified in #{uri}" if key == "" or key.nil?

Expand Down
8 changes: 8 additions & 0 deletions spec/unit/network/http/api/v1_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,14 @@ class V1RestApiTester
@tester.uri2indirection("GET", "/env/foo/bar", {:environment => "otherenv"}).environment.should == Puppet::Node::Environment.new("env")
end

it "should not pass a buck_path parameter through (See Bugs #13553, #13518, #13511)" do
@tester.uri2indirection("GET", "/env/foo/bar", { :bucket_path => "/malicious/path" }).options.should_not include({ :bucket_path => "/malicious/path" })
end

it "should pass allowed parameters through" do
@tester.uri2indirection("GET", "/env/foo/bar", { :allowed_param => "value" }).options.should include({ :allowed_param => "value" })
end

it "should use the second field of the URI as the indirection name" do
@tester.uri2indirection("GET", "/env/foo/bar", {}).indirection_name.should == :foo
end
Expand Down

0 comments on commit 568ded5

Please # to comment.