Merge branch '2017.7' into fix-minion-return-exception-with-return

2024-11-07 00:55:19 +00:00 · 2018-10-25 09:06:41 -07:00 · 2018-10-25 09:06:41 -07:00 · 283d41c16c
commit 283d41c16c
parent a4e54d76b7 017d39400a
6 changed files with 97 additions and 11 deletions
--- a/doc/conf.py
+++ b/doc/conf.py
@ -251,8 +251,8 @@ on_saltstack = 'SALT_ON_SALTSTACK' in os.environ
 project = 'Salt'

 version = salt.version.__version__
-latest_release = '2018.3.2'  # latest release
-previous_release = '2017.7.7'  # latest release from previous branch
+latest_release = '2018.3.3'  # latest release
+previous_release = '2017.7.8'  # latest release from previous branch
 previous_release_dir = '2017.7'  # path on web server for previous branch
 next_release = ''  # next release
 next_release_dir = ''  # path on web server for next release branch
--- a/doc/topics/releases/2017.7.8.rst
+++ b/doc/topics/releases/2017.7.8.rst
@ -1,9 +1,8 @@
-========================================
-In Progress: Salt 2017.7.8 Release Notes
-========================================
+===========================
+Salt 2017.7.8 Release Notes
+===========================

-Version 2017.7.8 is an **unreleased** bugfix release for :ref:`2017.7.0 <release-2017-7-0>`.
-This release is still in progress and has not been released yet.
+Version 2017.7.8 is a security and bugfix release for :ref:`2017.7.0 <release-2017-7-0>`.

 Statistics
 ==========
@ -14,6 +13,12 @@ Statistics

 - Contributors: **52** (`AVeenstra`_, `Ch3LL`_, `Circuitsoft`_, `DmitryKuzmenko`_, `KaiSforza`_, `Martin819`_, `OrlandoArcapix`_, `UtahDave`_, `Vaelatern`_, `abednarik`_, `asnell`_, `b1naryth1ef`_, `baniobloom`_, `basepi`_, `bdrung`_, `beornf`_, `bmcorser`_, `bowmanjd-lms`_, `damon-atkins`_, `darkpixel`_, `discogestalt`_, `doesitblend`_, `dqminh`_, `dubb-b`_, `dwoz`_, `frankiexyz`_, `frogunder`_, `fzipi`_, `garethgreenaway`_, `grokrecursion`_, `gtmanfred`_, `jacksontj`_, `jagguli`_, `lejambon`_, `lomeroe`_, `lordcirth`_, `lusche`_, `mbunkus`_, `meaksh`_, `mirceaulinic`_, `nbraud`_, `pritambaral`_, `ralex`_, `rallytime`_, `rmcintosh`_, `slaws`_, `terminalmage`_, `twangboy`_, `twellspring`_, `wyardley`_, `xetix`_, `zer0def`_)

+Security Fix
+============
+
+CVE-2018-15751 Remote command execution and incorrect access control when using salt-api.
+
+CVE-2018-15750 Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.

 New win_snmp behavior
 =====================
--- a/salt/netapi/rest_cherrypy/app.py
+++ b/salt/netapi/rest_cherrypy/app.py
@ -1078,6 +1078,13 @@ class LowDataAdapter(object):
                if cherrypy.session.get('groups'):
                    chunk['__current_eauth_groups'] = cherrypy.session.get('groups')

+            if 'token' in chunk:
+                # Make sure that auth token is hex
+                try:
+                    int(chunk['token'], 16)
+                except (TypeError, ValueError):
+                    raise cherrypy.HTTPError(401, 'Invalid token')
+
            if client:
                chunk['client'] = client

@ -2078,7 +2085,11 @@ class Events(object):

        :return bool: True if valid, False if not valid.
        '''
-        if auth_token is None:
+        # Make sure that auth token is hex. If it's None, or something other
+        # than hex, this will raise a ValueError.
+        try:
+            int(auth_token, 16)
+        except (TypeError, ValueError):
            return False

        # First check if the given token is in our session table; if so it's a
--- a/salt/spm/pkgfiles/local.py
+++ b/salt/spm/pkgfiles/local.py
@ -129,7 +129,7 @@ def install_file(package, formula_tar, member, formula_def, conn=None):
            elif tag in ('s', 'm'):
                pass

-    if new_name.startswith('{0}/_'.format(package)):
+    if member.name.startswith('{0}/_'.format(package)):
        if node_type in ('master', 'minion'):
            # Module files are distributed via extmods directory
            member.name = member.name.replace('{0}/_'.format(package), '')
@ -141,7 +141,7 @@ def install_file(package, formula_tar, member, formula_def, conn=None):
        else:
            # Module files are distributed via _modules, _states, etc
            member.name = member.name.replace('{0}/'.format(package), '')
-    elif new_name == '{0}/pillar.example'.format(package):
+    elif member.name == '{0}/pillar.example'.format(package):
        # Pillars are automatically put in the pillar_path
        member.name = '{0}.sls.orig'.format(package)
        out_path = conn['pillar_path']
--- a/tests/integration/netapi/rest_cherrypy/test_app.py
+++ b/tests/integration/netapi/rest_cherrypy/test_app.py
@ -2,6 +2,7 @@

 # Import python libs
 from __future__ import absolute_import
+import os
 import json

 # Import salt libs
@ -124,6 +125,71 @@ class TestRun(cptc.BaseRestCherryPyTest):
        })
        self.assertEqual(response.status, '401 Unauthorized')

+    def test_run_empty_token(self):
+        '''
+        Test the run URL with empty token
+        '''
+        cmd = dict(self.low, **{'token': ''})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_empty_token_upercase(self):
+        '''
+        Test the run URL with empty token with upercase characters
+        '''
+        cmd = dict(self.low, **{'ToKen': ''})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_wrong_token(self):
+        '''
+        Test the run URL with incorrect token
+        '''
+        cmd = dict(self.low, **{'token': 'bad'})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_token(self):
+        '''
+        Test the run URL with path that exists in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_not_exists_token(self):
+        '''
+        Test the run URL with path that does not exist in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+

 class TestWebhookDisableAuth(cptc.BaseRestCherryPyTest):

--- a/tests/support/helpers.py
+++ b/tests/support/helpers.py
@ -1548,7 +1548,11 @@ def win32_kill_process_tree(pid, sig=signal.SIGTERM, include_parent=True,
    '''
    if pid == os.getpid():
        raise RuntimeError("I refuse to kill myself")
-    parent = psutil.Process(pid)
+    try:
+        parent = psutil.Process(pid)
+    except psutil.NoSuchProcess:
+        log.debug("PID not found alive: %d", pid)
+        return ([], [])
    children = parent.children(recursive=True)
    if include_parent:
        children.append(parent)