search

puppetlabs / puppetlabs-apt

Puppet module to help manage Apt
https://forge.puppetlabs.com/puppetlabs/apt
Apache License 2.0
215 stars 462 forks source link

Harden apt-mark defined type #1051

Closed chelnak closed 1 year ago

chelnak commented 1 year ago

Prior to this PR the title parameter of this defined type was not properly validated. This means that it could have been possible to use a resource title outside of the normal bounds of a package name.

Additionally the onlyif and command parameter values were interpolated strings meaning that it may have been possible to execute unsafe code on the remote system.

This PR fixes the above issues by adding a regex to check that the resource title is a valid apt package name and also breaks out the onlyif and command parameter values in to arrays of args.

By doing this we are ensuring that the commands executed in a safe manor on the remote system.

The exception to this is the unless_cmd.

This has not been broken out in to an array of args due to the requirement of the command (explained in more detail in mark.pp:20).

Using an interpolated string here is a reasonable trade off however, due to the fact that action is created from known enum values and title would be pre-validated by the regular expression.

puppet-community-rangefinder[bot] commented 1 year ago

apt_mark is a type

that may have no external impact to Forge modules.

This module is declared in 234 of 579 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.