Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Reject directory traversal in store report processor

  • Loading branch information...
commit 554eefc55f57ed2b76e5ee04d8f194d36f6ee67f 1 parent fe53647
@pcarlisle pcarlisle authored
Showing with 21 additions and 3 deletions.
  1. +7 −3 lib/puppet/reports/store.rb
  2. +14 −0 spec/unit/reports/store_spec.rb
View
10 lib/puppet/reports/store.rb
@@ -1,5 +1,7 @@
require 'puppet'
+SEPARATOR = [Regexp.escape(File::SEPARATOR.to_s), Regexp.escape(File::ALT_SEPARATOR.to_s)].join
+
Puppet::Reports.register_report(:store) do
desc "Store the yaml report on disk. Each host sends its report as a YAML dump
and this just stores the file on disk, in the `reportdir` directory.
@@ -11,9 +13,11 @@
def process
# We don't want any tracking back in the fs. Unlikely, but there
# you go.
- client = self.host.gsub("..",".")
+ if host =~ Regexp.union(/[#{SEPARATOR}]/, /\A\.\.?\Z/)
+ raise ArgumentError, "Invalid node name #{host.inspect}"
+ end
- dir = File.join(Puppet[:reportdir], client)
+ dir = File.join(Puppet[:reportdir], host)
if ! FileTest.exists?(dir)
FileUtils.mkdir_p(dir)
@@ -35,7 +39,7 @@ def process
end
rescue => detail
puts detail.backtrace if Puppet[:trace]
- Puppet.warning "Could not write report for #{client} at #{file}: #{detail}"
+ Puppet.warning "Could not write report for #{host} at #{file}: #{detail}"
end
# Only testing cares about the return value
View
14 spec/unit/reports/store_spec.rb
@@ -27,5 +27,19 @@
File.read(File.join(Puppet[:reportdir], @report.host, "201101061200.yaml")).should == @report.to_yaml
end
+
+ ['..', 'hello/', '/hello', 'he/llo', 'hello/..', '.'].each do |node|
+ it "rejects #{node.inspect}" do
+ @report.host = node
+ expect { @report.process }.to raise_error(ArgumentError, /Invalid node/)
+ end
+ end
+
+ ['.hello', 'hello.', '..hi', 'hi..'].each do |node|
+ it "accepts #{node.inspect}" do
+ @report.host = node
+ @report.process
+ end
+ end
end
end
Please sign in to comment.
Something went wrong with that request. Please try again.