Skip to content

Harden config class #1487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 22, 2022
Merged

Harden config class #1487

merged 1 commit into from
Aug 22, 2022

Conversation

chelnak
Copy link
Contributor

@chelnak chelnak commented Aug 19, 2022

Prior to this commit the variables dir and mysql::server::package_name were passed to exec resources in such a way that could allow unsafe executions on the remote host.

This commit fixes the above by properly parameterizing the arguments passed to each exec resource.

Additionally the variables been sanitized with shell_escape for good measure.

@chelnak chelnak requested review from binford2k and a team August 19, 2022 11:33
@chelnak chelnak requested a review from a team as a code owner August 19, 2022 11:33
@chelnak chelnak self-assigned this Aug 19, 2022
@chelnak chelnak added the bugfix label Aug 19, 2022
@puppet-community-rangefinder
Copy link

mysql::server::config is a class

Breaking changes to this file MAY impact these 1 modules (near match):

This module is declared in 140 of 579 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

LivingInSyn
LivingInSyn previously approved these changes Aug 19, 2022
View reviewed changes
binford2k
binford2k previously approved these changes Aug 19, 2022
View reviewed changes
@chelnak
Harden config class
1c1291d 
Prior to this commit the variables `dir` and `mysql::server::package_name`
were passed to `exec` resources in such a way that could allow unsafe executions
on the remote host.

This commit fixes the above by properly parameterizing the arguments passed to each
`exec` resource.

Additionally the variables been sanitized with `shell_escape` for good measure.
@chelnak chelnak dismissed stale reviews from binford2k and LivingInSyn via 1c1291d August 22, 2022 08:20
@chelnak chelnak force-pushed the maint-harden_config_class branch from 57adf56 to 1c1291d Compare August 22, 2022 08:20
@david22swan david22swan merged commit e70e7fd into main Aug 22, 2022
@david22swan david22swan deleted the maint-harden_config_class branch August 22, 2022 08:55
@kajinamit
Copy link

kajinamit commented Aug 27, 2022
edited
Loading

I don't know whether it is feasible to document this requirement in metadata.json but this change is dependent on the change in puppet which is available since 7.9.0/6.24.0 while metadata.json stats this supports >= 6.0.0 < 8.0.0.

puppetlabs/puppet@59d045b

@chelnak
Copy link
Contributor Author

chelnak commented Aug 28, 2022

Hey, this is a really good observation.. the answer is hard too given that we currently support such a wide range of versions.

Technically users are not required to update to the latest and greatest version of a module but this obviously means they miss out on newer features or fixes.

@binford2k What are your thoughts?

@apoleon apoleon mentioned this pull request Oct 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david22swan david22swan david22swan approved these changes

@binford2k binford2k binford2k left review comments

@LivingInSyn LivingInSyn LivingInSyn left review comments

Assignees

@chelnak chelnak

Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@chelnak @kajinamit @binford2k @LivingInSyn @david22swan