Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'cve/security/3.2.3/21971-remote-executi…
…on-through-resource_type' into release_3.2.4 * cve/security/3.2.3/21971-remote-execution-through-resource_type: (#21971) Fixes PathPattern's usage of Dir.glob for Windows (#21971) Fix TypeLoader#import_all on Ruby 1.8.7 (#21971) Create system for safely dealing with path patterns (#21971) Split import and autoloading code paths (#21971) Add test for accessing based on master being at root (#21971) Check for possible directory traversal (Maint) Clean up specs (Maint) Use dirname instead of regexes (#21971) Create test to show exploit of resource_type Conflicts: lib/puppet/parser/type_loader.rb spec/unit/parser/type_loader_spec.rb
- Loading branch information
Showing
13 changed files
with
414 additions
and
226 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
module Puppet::FileSystem | ||
require 'puppet/file_system/path_pattern' | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
require 'pathname' | ||
|
||
module Puppet::FileSystem | ||
class PathPattern | ||
class InvalidPattern < Puppet::Error; end | ||
|
||
TRAVERSAL = /\.\./ | ||
ABSOLUTE_UNIX = /^\// | ||
ABSOLUTE_WINDOWS = /^[a-z]:/i | ||
#ABSOLUT_VODKA #notappearinginthisclass | ||
CURRENT_DRIVE_RELATIVE_WINDOWS = /^\\/ | ||
|
||
def self.relative(pattern) | ||
RelativePathPattern.new(pattern) | ||
end | ||
|
||
def self.absolute(pattern) | ||
AbsolutePathPattern.new(pattern) | ||
end | ||
|
||
class << self | ||
protected :new | ||
end | ||
|
||
# @param prefix [AbsolutePathPattern] An absolute path pattern instance | ||
# @return [AbsolutePathPattern] A new AbsolutePathPattern prepended with | ||
# the passed prefix's pattern. | ||
def prefix_with(prefix) | ||
new_pathname = prefix.pathname + pathname | ||
self.class.absolute(new_pathname.to_s) | ||
end | ||
|
||
def glob | ||
Dir.glob(pathname.to_s) | ||
end | ||
|
||
def to_s | ||
pathname.to_s | ||
end | ||
|
||
protected | ||
|
||
attr_reader :pathname | ||
|
||
private | ||
|
||
def validate(pattern) | ||
stripped = pattern.strip | ||
case stripped | ||
when TRAVERSAL | ||
raise(InvalidPattern, "PathPatterns cannot be created with directory traversals.") | ||
when CURRENT_DRIVE_RELATIVE_WINDOWS | ||
raise(InvalidPattern, "A PathPattern cannot be a Windows current drive relative path.") | ||
end | ||
return stripped | ||
end | ||
|
||
def initialize(pattern) | ||
stripped = validate(pattern) | ||
begin | ||
@pathname = Pathname.new(stripped) | ||
rescue ArgumentError => error | ||
raise InvalidPattern.new("PathPatterns cannot be created with a zero byte.", error) | ||
end | ||
end | ||
end | ||
|
||
class RelativePathPattern < PathPattern | ||
def absolute? | ||
false | ||
end | ||
|
||
def validate(pattern) | ||
stripped = super(pattern) | ||
case stripped | ||
when ABSOLUTE_WINDOWS | ||
raise(InvalidPattern, "A relative PathPattern cannot be prefixed with a drive.") | ||
when ABSOLUTE_UNIX | ||
raise(InvalidPattern, "A relative PathPattern cannot be an absolute path.") | ||
end | ||
return stripped | ||
end | ||
end | ||
|
||
class AbsolutePathPattern < PathPattern | ||
def absolute? | ||
true | ||
end | ||
|
||
def validate(pattern) | ||
stripped = super(pattern) | ||
if stripped !~ ABSOLUTE_UNIX and stripped !~ ABSOLUTE_WINDOWS | ||
raise(InvalidPattern, "An absolute PathPattern cannot be a relative path.") | ||
end | ||
stripped | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.