Permalink
Browse files

(#19531) (CVE-2013-2275) Only allow report save from the node matchin…

…g the certname

Without this patch applied any authenticated client is able to save a
report for any node by default.  This is a problem because the
compliance feature of Puppet Enterprise expects reports to be submitted
only from the node the report is associated with.

This patch addresses the problem by restricting the access control rules
in a similar manner to the catalog.  With this patch applied, the
default behavior of the Puppet master will only allow reports to be
saved when the node name matches the cert name.
  • Loading branch information...
1 parent 531a280 commit b9023b0c919312df648e424f392aa88c9b081599 @jeffmccune jeffmccune committed Mar 1, 2013
Showing with 16 additions and 4 deletions.
  1. +3 −3 conf/auth.conf
  2. +1 −1 lib/puppet/network/authconfig.rb
  3. +12 −0 spec/unit/network/authconfig_spec.rb
View
@@ -75,10 +75,10 @@ path /certificate_revocation_list/ca
method find
allow *
-# allow all nodes to store their reports
-path /report
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
method save
-allow *
+allow $1
# Allow all nodes to access all file services; this is necessary for
# pluginsync, file serving from modules, and file serving from custom
@@ -15,7 +15,7 @@ class Network::AuthConfig
# to fileserver.conf
{ :acl => "/file" },
{ :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
- { :acl => "/report", :method => :save, :authenticated => true },
+ { :acl => "~ ^\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },
# These allow `auth any`, because if you can do them anonymously you
# should probably also be able to do them when trusted.
{ :acl => "/certificate/ca", :method => :find, :authenticated => :any },
@@ -78,6 +78,18 @@
@authconfig.rights['/'].should be_empty
@authconfig.rights['/'].authentication.should be_false
end
+
+ it '(CVE-2013-2275) allows report submission only for the node matching the certname by default' do
+ acl = {
+ :acl => "~ ^\/report\/([^\/]+)$",
+ :method => :save,
+ :allow => '$1',
+ :authenticated => true
+ }
+ @authconfig.stubs(:mk_acl)
+ @authconfig.expects(:mk_acl).with(acl)
+ @authconfig.insert_default_acl
+ end
end
describe "when checking authorization" do

0 comments on commit b9023b0

Please sign in to comment.