Closed
Description
SUMMARY
Possibly related to CVE-2019-3828 (#52133)
The fetch module takes the source result from the slurp module, which came from the remote host. We don't really validate this path and it could have been manipulated by the remote host in a malicious way such that we end up a path similar to /tmp/result_fetch/ansible1/../../../../../../../../../../../../../../../../home/<user>/.profile for the source. This allows an attacker to place a file the contents of which they control.
Relevant Code:
ansible/lib/ansible/plugins/action/fetch.py
Lines 83 to 102 in 79dfae9
Suggested correction from the reporter:
- Don't use
%s/%s/%sto compute the destination file or clean the last argument - add the following check:
target_dir = os.path.normpath(os.path.join(self._loader.path_dwim(dest), target_name))
dest = os.path.normpath(os.path.join(target_dir, source_local)
assert os.path.commonpath([target_dir, dest]) == target_dirISSUE TYPE
- Bug Report
COMPONENT NAME
lib/ansible/plugins/action/fetch.py
ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS