Skip to content

Commit 387b764

Browse files
abenariohadlevy
authored andcommitted
Fix Foreman SQL injection through search mechanism CVE-2012-5648
1 parent 4a073b8 commit 387b764

File tree

2 files changed

+10
-7
lines changed

2 files changed

+10
-7
lines changed

Diff for: app/models/hostext/search.rb

+8-5
Original file line numberDiff line numberDiff line change
@@ -51,15 +51,16 @@ def self.included(base)
5151

5252
def self.search_by_user(key, operator, value)
5353
key_name = key.sub(/^.*\./,'')
54-
users = User.all(:conditions => "#{key_name} #{operator} '#{value_to_sql(operator, value)}'")
54+
condition = sanitize_sql_for_conditions(["? #{operator} ?", key_name, value_to_sql(operator, value)])
55+
users = User.all(:conditions => condition)
5556
hosts = users.map(&:hosts).flatten
56-
opts = hosts.empty? ? "= 'nil'" : "IN (#{hosts.map(&:id).join(',')})"
57+
opts = hosts.empty? ? "< 0" : "IN (#{hosts.map(&:id).join(',')})"
5758

5859
return {:conditions => " hosts.id #{opts} " }
5960
end
6061

6162
def self.search_by_puppetclass(key, operator, value)
62-
conditions = "puppetclasses.name #{operator} '#{value_to_sql(operator, value)}'"
63+
conditions = sanitize_sql_for_conditions(["puppetclasses.name #{operator} ?", value_to_sql(operator, value)])
6364
hosts = Host.my_hosts.all(:conditions => conditions, :joins => :puppetclasses, :select => 'DISTINCT hosts.id').map(&:id)
6465
host_groups = Hostgroup.all(:conditions => conditions, :joins => :puppetclasses, :select => 'DISTINCT hostgroups.id').map(&:id)
6566

@@ -73,12 +74,14 @@ def self.search_by_puppetclass(key, operator, value)
7374

7475
def self.search_by_params(key, operator, value)
7576
key_name = key.sub(/^.*\./,'')
76-
opts = {:conditions => "name = '#{key_name}' and value #{operator} '#{value_to_sql(operator, value)}'", :order => :priority}
77+
condition = sanitize_sql_for_conditions(["name = ? and value #{operator} ?", key_name, value_to_sql(operator, value)])
78+
opts = {:conditions => condition, :order => :priority}
7779
p = Parameter.all(opts)
7880
return {:conditions => '1 = 0'} if p.blank?
7981

8082
max = p.first.priority
81-
negate_opts = {:conditions => "name = '#{key_name}' and NOT(value #{operator} '#{value_to_sql(operator, value)}') and priority > #{max}", :order => :priority}
83+
condition = sanitize_sql_for_conditions(["name = ? and NOT(value #{operator} ?) and priority > ?",key_name,value_to_sql(operator, value), max])
84+
negate_opts = {:conditions => condition, :order => :priority}
8285
n = Parameter.all(negate_opts)
8386

8487
conditions = param_conditions(p)

Diff for: app/models/puppetclass.rb

+2-2
Original file line numberDiff line numberDiff line change
@@ -151,8 +151,8 @@ def as_json(options={})
151151
end
152152

153153
def self.search_by_host(key, operator, value)
154-
conditions = "hosts.name #{operator} '#{value_to_sql(operator, value)}'"
155-
direct = Puppetclass.all(:conditions => conditions, :joins => :hosts, :select => 'puppetclasses.id').map(&:id).uniq
154+
conditions = sanitize_sql_for_conditions(["hosts.name #{operator} ?", value_to_sql(operator, value)])
155+
direct = Puppetclass.joins(:hosts).where(conditions).select('puppetclasses.id').map(&:id).uniq
156156
hostgroup = Hostgroup.joins(:hosts).where(conditions).first
157157
indirect = HostgroupClass.where(:hostgroup_id => hostgroup.path_ids).pluck(:puppetclass_id).uniq
158158
return { :conditions => "1=0" } if direct.blank? && indirect.blank?

0 commit comments

Comments
 (0)