Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
Description
The localfs cache module allows to operate on paths outside of the defined cache directory.
Setup
irrelevant
Steps to Reproduce the behavior
$ salt-run config.get cachedir
/var/cache/salt/master
$ salt-run cache.store /tmp/this_is_outside_the_cachedir foo bar
None
$ ls /tmp/this_is_outside_the_cachedir/
foo.p
$ salt-run cache.flush /tmp/this_is_outside_the_cachedir
True
$ ls /tmp/this_is_outside_the_cachedir/
ls: cannot access '/tmp/this_is_outside_the_cachedir/': No such file or directory
# better not salt-run this: cache.flush / :)
$ salt-run cache.list /etc
- fstab
- crypttab
- crypto-policies
- pki
- os-release
- salt
- gshadow
- hosts
- udev
- inputrc
- sysctl.conf
- sysctl.d
- passwd
- shadow
- sestatus.conf
- sudoers
- .pwd.lock
- nftables
- group-
- gshadow-
- libibverbs.d
- vimrc
- pam.d
- rc.d
- systemd
- machine-id
- hostname
# [..., you get the point]
Expected behavior
Cache operations to be limited to the cachedir.
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)
```yaml
Salt Version:
Salt: 3006.9
Python Version:
Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]
Dependency Versions:
cffi: 1.14.6
cherrypy: unknown
cryptography: 42.0.5
dateutil: 2.8.1
docker-py: Not Installed
gitdb: 4.0.11
gitpython: 3.1.42
Jinja2: 3.1.4
libgit2: Not Installed
looseversion: 1.0.2
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.2
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 22.0
pycparser: 2.21
pycrypto: Not Installed
pycryptodome: 3.19.1
pygit2: Not Installed
python-gnupg: 0.4.8
PyYAML: 6.0.1
PyZMQ: 23.2.0
relenv: 0.17.0
smmap: 5.0.1
timelib: 0.2.4
Tornado: 4.5.3
ZMQ: 4.3.4
System Versions:
dist: rocky 9.4 Blue Onyx
locale: utf-8
machine: x86_64
release: 5.14.0-427.40.1.el9_4.x86_64
system: Linux
version: Rocky Linux 9.4 Blue Onyx
```
Additional context
I initially considered this being a security issue because anyone with access to the cache runner unintentionally would have been able to operate on the filesystem with the master process user's privileges, but then noticed that the cache runner provides an input for the cachedir anyways.
I didn't find any other spot in Salt core where unsanitized user input is passed to the localfs cache module, so this is just a bug with serious consequences of some specific typos.
Description The
localfscache module allows to operate on paths outside of the defined cache directory.Setup irrelevant
Steps to Reproduce the behavior
Expected behavior Cache operations to be limited to the
cachedir.Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ```yaml Salt Version: Salt: 3006.9 Python Version: Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0] Dependency Versions: cffi: 1.14.6 cherrypy: unknown cryptography: 42.0.5 dateutil: 2.8.1 docker-py: Not Installed gitdb: 4.0.11 gitpython: 3.1.42 Jinja2: 3.1.4 libgit2: Not Installed looseversion: 1.0.2 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.2 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 22.0 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.19.1 pygit2: Not Installed python-gnupg: 0.4.8 PyYAML: 6.0.1 PyZMQ: 23.2.0 relenv: 0.17.0 smmap: 5.0.1 timelib: 0.2.4 Tornado: 4.5.3 ZMQ: 4.3.4 System Versions: dist: rocky 9.4 Blue Onyx locale: utf-8 machine: x86_64 release: 5.14.0-427.40.1.el9_4.x86_64 system: Linux version: Rocky Linux 9.4 Blue Onyx ```Additional context I initially considered this being a security issue because anyone with access to the cache runner unintentionally would have been able to operate on the filesystem with the master process user's privileges, but then noticed that the
cacherunner provides an input for thecachediranyways.I didn't find any other spot in Salt core where unsanitized user input is passed to the
localfscache module, so this is just a bug with serious consequences of some specific typos.