Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Vulnerability in Pipe Lookup Plugin is Obsfuscated in the Documentation #70159

Closed
ajakk opened this issue Jun 19, 2020 · 3 comments · Fixed by #70596
Closed

Potential Vulnerability in Pipe Lookup Plugin is Obsfuscated in the Documentation #70159

ajakk opened this issue Jun 19, 2020 · 3 comments · Fixed by #70596
Assignees
@samdoran
Labels
affects_2.11 feature This issue/PR relates to a feature request. security Related to a vulnerability or CVE support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@ajakk
Copy link

ajakk commented Jun 19, 2020
edited
Loading

SUMMARY

In #67792, it was stated that CVE-2020-1734 was invalid because the vulnerability is supposed to be prevented by the playbook author. This isn't clear from the relevant documentation, because the preventative measure playbook authors must use is only mentioned in an example. The warning should be changed to be more visible than it is in an example to ensure users notice the potential vulnerability.

COMPONENT NAME

Pipe Lookup

https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/lookup/pipe.py#L28
@ansibot
Copy link
Contributor

ansibot commented Jun 19, 2020

Files identified in the description:
None

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Jun 19, 2020

@ajakk: Greetings! Thanks for taking the time to open this issue. In order for the community to handle your issue effectively, we need a bit more information.

Here are the items we could not find in your description:

  • component name

Please set the description of this issue with an appropriate template from:
https://github.com/ansible/ansible/tree/devel/.github/ISSUE_TEMPLATE

click here for bot help

@ansibot ansibot added affects_2.11 feature This issue/PR relates to a feature request. needs_info This issue requires further information. Please answer any outstanding questions. needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Jun 19, 2020
@ansibot
Copy link
Contributor

ansibot commented Jun 19, 2020

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added support:community This issue/PR relates to code supported by the Ansible community. and removed needs_info This issue requires further information. Please answer any outstanding questions. needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly. labels Jun 19, 2020
@samdoran samdoran self-assigned this Jun 23, 2020
@samdoran samdoran added security Related to a vulnerability or CVE and removed needs_triage Needs a first human triage before being processed. labels Jun 23, 2020
Akasurde added a commit to Akasurde/ansible that referenced this issue Jul 13, 2020
@Akasurde
pipe: update docs for Popen with shell=True usage
5879e27 
pipe lookup plugin uses Popen with shell=True intentially.
This is considered as security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: ansible#70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
@Akasurde Akasurde mentioned this issue Jul 13, 2020
Merged
Akasurde added a commit that referenced this issue Jul 13, 2020
@Akasurde
pipe: update docs for Popen with shell=True usage (#70596)
e5649ca 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: #70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
Akasurde added a commit to Akasurde/ansible that referenced this issue Jul 13, 2020
@Akasurde
[2.10] pipe: update docs for Popen with shell=True usage
6d9cc48 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: ansible#70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
(cherry picked from commit e5649ca)
@Akasurde Akasurde mentioned this issue Jul 13, 2020
Merged
Akasurde added a commit to Akasurde/ansible that referenced this issue Jul 13, 2020
@Akasurde
[2.9] pipe: update docs for Popen with shell=True usage
6adafb5 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: ansible#70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
(cherry picked from commit e5649ca)
@Akasurde Akasurde mentioned this issue Jul 13, 2020
Merged
Akasurde added a commit to Akasurde/ansible that referenced this issue Jul 13, 2020
@Akasurde
[2.8] pipe: update docs for Popen with shell=True usage
2422ae3 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: ansible#70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
(cherry picked from commit e5649ca)
@Akasurde Akasurde mentioned this issue Jul 13, 2020
Merged
Akasurde added a commit to Akasurde/ansible that referenced this issue Jul 13, 2020
@Akasurde
[2.7] pipe: update docs for Popen with shell=True usage
54cd1db 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: ansible#70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
(cherry picked from commit e5649ca)
@Akasurde Akasurde mentioned this issue Jul 13, 2020
Closed
nitzmahone pushed a commit that referenced this issue Jul 13, 2020
@Akasurde
[2.8] pipe: update docs for Popen with shell=True usage (#70604)
bff0724 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: #70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
(cherry picked from commit e5649ca)
nitzmahone pushed a commit that referenced this issue Jul 17, 2020
@Akasurde
[2.10] pipe: update docs for Popen with shell=True usage (#70602)
963bdd9 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: #70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
(cherry picked from commit e5649ca)
nitzmahone pushed a commit that referenced this issue Jul 17, 2020
@Akasurde
[2.9] pipe: update docs for Popen with shell=True usage (#70603)
4f978af 
pipe lookup plugin uses Popen with shell=True intentionally.
This is considered a security issue if user input is not validated.
Updated docs to reflect this information for the user. Also, added
Bandit B602 documentation link for further reading.

Fixes: #70159

Signed-off-by: Abhijeet Kasurde <[email protected]>
(cherry picked from commit e5649ca)
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 29, 2020
ansible: updated to 2.9.11
db0ec5a 
v2.9.11
=======

Minor Changes
-------------
- The ``items2dict`` filter can now create a dict whose values are the original elements of the input list, and whose keys are the value of some key in each dict. When the resulting dict is stored, this allows for O(1) lookup of a particular key without having to scan the entire list each time.
- k8s - update openshift requirements in documentation
- pipe lookup - update docs for Popen with shell=True usages (ansible/ansible#70159).

Bugfixes
--------
- Allow TypeErrors on Undefined variables in filters to be handled or deferred when processing for loops.
- Fix ``delegate_facts: true`` when ``ansible_python_interpreter`` is not set. (ansible/ansible#70168)
- Support check mode in NXOS BGP modules (ansible/ansible#57360).
- TaskExecutor - Handle unexpected errors as failed while post validating loops (ansible/ansible#70050).
- The `ansible_become` value was not being treated as a boolean value when set in an INI format inventory file (fixes bug ansible/ansible#70476).
- To fix ios_l2_interfaces facts parsing issue (ansible-collections/cisco.ios#59)
- To fix ios_user and ios_command test case failure fix (ansible-collections/cisco.ios#82)
- Vault - Allow single vault encrypted values to be used directly as module parameters. (ansible/ansible#68275)
- add constraints file for ``anisble_runner`` test since an update to ``psutil`` is now causing test failures
- ansible-galaxy - Instead of assuming the first defined server is galaxy, filter based on the servers that support the v1 API, and return the first of those (ansible/ansible#65440)
- ansible-test no longer tracebacks during change analysis due to processing an empty python file
- ansible-test now correctly recognizes imports in collections when using the ``--changed`` option.
- ansible-test now ignores empty ``*.py`` files when analyzing module_utils imports for change detection
- assemble - fix decrypt argument in the module (ansible/ansible#65450).
- docker_container - various error fixes in string handling for Python 2 to avoid crashes when non-ASCII characters are used in strings (ansible-collections/community.general#640).
- eos_eapi - enable eapi by default
- group_by now should correctly refect changed status.
- json callback - Fix host result to task references in the resultant JSON output for non-lockstep strategy plugins such as free (ansible/ansible#65931)
- nmcli - Add compatibility for new networkmanager library (ansible/ansible#65726).
- puppet - fix command line construction for check mode and ``manifest:`` (ansible/ansible#60576).
- selective callback - mark task failed correctly (ansible/ansible#63767).
- windows async - use full path when calling PowerShell to reduce reliance on environment vars being correct - ansible/ansible#70655
- winrm - preserve winrm forensic data on put_file failures
@ansible ansible locked and limited conversation to collaborators Aug 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@samdoran samdoran

Labels
affects_2.11 feature This issue/PR relates to a feature request. security Related to a vulnerability or CVE support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pipe: update docs for Popen with shell=True usage Akasurde/ansible
3 participants
@samdoran @ansibot @ajakk