Skip to content

fetch module path traversal #67793

Closed
@samdoran

Description

@samdoran
SUMMARY

CVE-2020-1735

Possibly related to CVE-2019-3828 (#52133)

The fetch module takes the source result from the slurp module, which came from the remote host. We don't really validate this path and it could have been manipulated by the remote host in a malicious way such that we end up a path similar to /tmp/result_fetch/ansible1/../../../../../../../../../../../../../../../../home/<user>/.profile for the source. This allows an attacker to place a file the contents of which they control.

Relevant Code:

slurpres = self._execute_module(module_name='slurp', module_args=dict(src=source), task_vars=task_vars)
if slurpres.get('failed'):
if not fail_on_missing and (slurpres.get('msg').startswith('file not found') or remote_checksum == '1'):
result['msg'] = "the remote file does not exist, not transferring, ignored"
result['file'] = source
result['changed'] = False
else:
result.update(slurpres)
return result
else:
if slurpres['encoding'] == 'base64':
remote_data = base64.b64decode(slurpres['content'])
if remote_data is not None:
remote_checksum = checksum_s(remote_data)
# the source path may have been expanded on the
# target system, so we compare it here and use the
# expanded version if it's different
remote_source = slurpres.get('source')
if remote_source and remote_source != source:
source = remote_source

Suggested correction from the reporter:

  • Don't use %s/%s/%s to compute the destination file or clean the last argument
  • add the following check:
target_dir = os.path.normpath(os.path.join(self._loader.path_dwim(dest), target_name))
dest = os.path.normpath(os.path.join(target_dir, source_local)
assert os.path.commonpath([target_dir, dest]) == target_dir
ISSUE TYPE
  • Bug Report
COMPONENT NAME

lib/ansible/plugins/action/fetch.py

ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS

Metadata

Metadata

Assignees

Labels

affects_2.10This issue/PR affects Ansible v2.10bugThis issue/PR relates to a bug.filesFiles categoryhas_prThis issue has an associated PR.moduleThis issue/PR relates to a module.securityRelated to a vulnerability or CVEsupport:coreThis issue/PR relates to code supported by the Ansible Engineering Team.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions