From ee792581fc03730566cda300d4ea6a0abcf4e12e Mon Sep 17 00:00:00 2001 From: Erik Johnson Date: Wed, 23 Aug 2017 10:20:50 -0500 Subject: [PATCH] Don't allow path separators in minion ID --- salt/utils/verify.py | 15 ++++----------- tests/unit/utils/verify_test.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/salt/utils/verify.py b/salt/utils/verify.py index 9cc31201b8..b3455a639a 100644 --- a/salt/utils/verify.py +++ b/salt/utils/verify.py @@ -485,22 +485,15 @@ def clean_path(root, path, subdir=False): return '' -def clean_id(id_): - ''' - Returns if the passed id is clean. - ''' - if re.search(r'\.\.{sep}'.format(sep=os.sep), id_): - return False - return True - - def valid_id(opts, id_): ''' Returns if the passed id is valid ''' try: - return bool(clean_path(opts['pki_dir'], id_)) and clean_id(id_) - except (AttributeError, KeyError) as e: + if any(x in id_ for x in ('/', '\\', '\0')): + return False + return bool(clean_path(opts['pki_dir'], id_)) + except (AttributeError, KeyError, TypeError): return False diff --git a/tests/unit/utils/verify_test.py b/tests/unit/utils/verify_test.py index 370c2428f9..4794f76f3a 100644 --- a/tests/unit/utils/verify_test.py +++ b/tests/unit/utils/verify_test.py @@ -60,6 +60,16 @@ class TestVerify(TestCase): opts = {'pki_dir': '/tmp/whatever'} self.assertFalse(valid_id(opts, None)) + def test_valid_id_pathsep(self): + ''' + Path separators in id should make it invalid + ''' + opts = {'pki_dir': '/tmp/whatever'} + # We have to test both path separators because os.path.normpath will + # convert forward slashes to backslashes on Windows. + for pathsep in ('/', '\\'): + self.assertFalse(valid_id(opts, pathsep.join(('..', 'foobar')))) + def test_zmq_verify(self): self.assertTrue(zmq_version())