Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix Foreman SQL injection through search mechanism CVE-2012-5648
  • Loading branch information
abenari authored and ohadlevy committed Dec 19, 2012
1 parent 4a073b8 commit 387b764
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 7 deletions.
13 changes: 8 additions & 5 deletions app/models/hostext/search.rb
Expand Up @@ -51,15 +51,16 @@ def self.included(base)

def self.search_by_user(key, operator, value)
key_name = key.sub(/^.*\./,'')
users = User.all(:conditions => "#{key_name} #{operator} '#{value_to_sql(operator, value)}'")
condition = sanitize_sql_for_conditions(["? #{operator} ?", key_name, value_to_sql(operator, value)])
users = User.all(:conditions => condition)
hosts = users.map(&:hosts).flatten
opts = hosts.empty? ? "= 'nil'" : "IN (#{hosts.map(&:id).join(',')})"
opts = hosts.empty? ? "< 0" : "IN (#{hosts.map(&:id).join(',')})"

return {:conditions => " hosts.id #{opts} " }
end

def self.search_by_puppetclass(key, operator, value)
conditions = "puppetclasses.name #{operator} '#{value_to_sql(operator, value)}'"
conditions = sanitize_sql_for_conditions(["puppetclasses.name #{operator} ?", value_to_sql(operator, value)])
hosts = Host.my_hosts.all(:conditions => conditions, :joins => :puppetclasses, :select => 'DISTINCT hosts.id').map(&:id)
host_groups = Hostgroup.all(:conditions => conditions, :joins => :puppetclasses, :select => 'DISTINCT hostgroups.id').map(&:id)

Expand All @@ -73,12 +74,14 @@ def self.search_by_puppetclass(key, operator, value)

def self.search_by_params(key, operator, value)
key_name = key.sub(/^.*\./,'')
opts = {:conditions => "name = '#{key_name}' and value #{operator} '#{value_to_sql(operator, value)}'", :order => :priority}
condition = sanitize_sql_for_conditions(["name = ? and value #{operator} ?", key_name, value_to_sql(operator, value)])
opts = {:conditions => condition, :order => :priority}
p = Parameter.all(opts)
return {:conditions => '1 = 0'} if p.blank?

max = p.first.priority
negate_opts = {:conditions => "name = '#{key_name}' and NOT(value #{operator} '#{value_to_sql(operator, value)}') and priority > #{max}", :order => :priority}
condition = sanitize_sql_for_conditions(["name = ? and NOT(value #{operator} ?) and priority > ?",key_name,value_to_sql(operator, value), max])
negate_opts = {:conditions => condition, :order => :priority}
n = Parameter.all(negate_opts)

conditions = param_conditions(p)
Expand Down
4 changes: 2 additions & 2 deletions app/models/puppetclass.rb
Expand Up @@ -151,8 +151,8 @@ def as_json(options={})
end

def self.search_by_host(key, operator, value)
conditions = "hosts.name #{operator} '#{value_to_sql(operator, value)}'"
direct = Puppetclass.all(:conditions => conditions, :joins => :hosts, :select => 'puppetclasses.id').map(&:id).uniq
conditions = sanitize_sql_for_conditions(["hosts.name #{operator} ?", value_to_sql(operator, value)])
direct = Puppetclass.joins(:hosts).where(conditions).select('puppetclasses.id').map(&:id).uniq
hostgroup = Hostgroup.joins(:hosts).where(conditions).first
indirect = HostgroupClass.where(:hostgroup_id => hostgroup.path_ids).pluck(:puppetclass_id).uniq
return { :conditions => "1=0" } if direct.blank? && indirect.blank?
Expand Down

0 comments on commit 387b764

Please sign in to comment.