Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pipe lookup plugin enables shell by default #67792

Closed
samdoran opened this issue Feb 26, 2020 · 4 comments
Closed

pipe lookup plugin enables shell by default #67792

samdoran opened this issue Feb 26, 2020 · 4 comments
Assignees
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. security Related to a vulnerability or CVE support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@samdoran
Copy link
Contributor

SUMMARY

CVE-2020-1734

The pipe lookup plugin should use shell=False be default to avoid potential privilege escalation. A new option should provide a way to enable shell=True.

If a variable is passed to the pipe lookup, that variable could be overriden via facts, leading to arbitrary code execution.

Relevant code:

p = subprocess.Popen(term, cwd=self._loader.get_basedir(), shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE)

It seems like this change was made intentionally quite a while ago (#6550). Changing the default will probably break a lot of things for people. 😞

ISSUE TYPE
  • Bug Report
COMPONENT NAME

lib/ansible/plugins/lookup/pipe.py

ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS

@samdoran samdoran added the security Related to a vulnerability or CVE label Feb 26, 2020
@ansibot
Copy link
Contributor

ansibot commented Feb 26, 2020

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Feb 26, 2020
@bcoca
Copy link
Member

bcoca commented Apr 1, 2020

This is intended functionality, it is up to the playbook author to ensure that they use the |quote filter where appropriate.

@ansibot ansibot added the has_pr This issue has an associated PR. label Apr 1, 2020
@bcoca bcoca self-assigned this Apr 3, 2020
@bcoca
Copy link
Member

bcoca commented Apr 16, 2020

closing as per above

@bcoca bcoca closed this as completed Apr 16, 2020
@carnil
Copy link

carnil commented Apr 16, 2020

@bcoca, does this mean the CVE assignment is invalid then and should be rejected at MITRE level? (Via https://cveform.mitre.org).

@ansible ansible locked and limited conversation to collaborators May 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. security Related to a vulnerability or CVE support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Development

No branches or pull requests

4 participants