Changeset - 36d96a3fc472
Parent rev.
Child rev.
[Not reviewed]
0 6 0
Branko Majic (branko) - 3 years ago 2021-01-13 00:07:32
branko@majic.rs
MAR-163: Ensure host.run is not suspectible to shell injection:

- Use host.run's built-in capability for handling parameter escaping
and insertion.
6 files changed with 9 insertions and 9 deletions:
roles/common/molecule/default/tests/test_default.py
1
1
roles/mail_forwarder/molecule/default/tests/test_connectivity_from_client.py
1
1
roles/mail_forwarder/molecule/default/tests/test_connectivity_from_relay.py
3
3
roles/web_server/molecule/default/tests/test_client.py
1
1
roles/wsgi_website/molecule/default/tests/test_default.py
2
2
roles/xmpp_server/molecule/default/tests/test_client.py
1
1
0 comments (0 inline, 0 general)
roles/common/molecule/default/tests/test_default.py
Show inline comments
 
@@ -328,7 +328,7 @@ def test_pipreqcheck_virtualenv_packages(host, pip_path, expected_packages):
 
    requirements checks..
 
    """
 

			




	
	
	
		
 
    packages = host.run("sudo -u %s %s freeze --all" % ('pipreqcheck', pip_path))

			




	
	
	
		
 
    packages = host.run("sudo -u pipreqcheck %s freeze --all", pip_path)

			




	
	
	
		
 

			




	
	
	
		
 
    # Normalise package names and order.

			




	
	
	
		
 
    expected_packages = sorted([p.lower() for p in expected_packages])

			




        

    


    
    

    

        

                

                    roles/mail_forwarder/molecule/default/tests/test_connectivity_from_client.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -23,6 +23,6 @@ def test_connectivity_from_client(host, server):

			




	
	
	
		
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 

			




	
	
	
		
 
        ping = host.run('hping3 -S -p 25 -c 1 %s' % server)

			




	
	
	
		
 
        ping = host.run('hping3 -S -p 25 -c 1 %s', server)

			




	
	
	
		
 
        assert ping.rc != 0

			




	
	
	
		
 
        assert "100% packet loss" in ping.stderr

			




        

    


    
    

    

        

                

                    roles/mail_forwarder/molecule/default/tests/test_connectivity_from_relay.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -21,7 +21,7 @@ def test_connectivity_from_authorised_relay(host, server):

			




	
	
	
		
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 

			




	
	
	
		
 
        ping = host.run('hping3 -S -p 25 -c 1 %s' % server)

			




	
	
	
		
 
        ping = host.run('hping3 -S -p 25 -c 1 %s', server)

			




	
	
	
		
 
        assert ping.rc == 0

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
		
 
@@ -37,7 +37,7 @@ def test_connectivity_from_unauthorised_relay(host, server):

			




	
	
	
		
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 

			




	
	
	
		
 
        ping = host.run('hping3 -S -p 25 -c 1 %s' % server)

			




	
	
	
		
 
        ping = host.run('hping3 -S -p 25 -c 1 %s', server)

			




	
	
	
		
 
        assert ping.rc != 0

			




	
	
	
		
 
        assert "100% packet loss" in ping.stderr

			




	
	
	
		
 

			




	
	
		
 
@@ -63,6 +63,6 @@ def test_open_relay(host, server):

			




	
	
	
		
 

			




	
	
	
		
 
    no_recipients_accepted_error_code = 24

			




	
	
	
		
 

			




	
	
	
		
 
    send = host.run('swaks --suppress-data --to root@client1 --server %s' % server)

			




	
	
	
		
 
    send = host.run('swaks --suppress-data --to root@client1 --server %s', server)

			




	
	
	
		
 
    assert send.rc == no_recipients_accepted_error_code

			




	
	
	
		
 
    assert "Relay access denied" in send.stdout

			




        

    


    
    

    

        

                

                    roles/web_server/molecule/default/tests/test_client.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -19,5 +19,5 @@ def test_connectivity(host):

			




	
	
	
		
 
            # HTTP, HTTPS.

			




	
	
	
		
 
            for port in [80, 443]:

			




	
	
	
		
 

			




	
	
	
		
 
                ping = host.run('hping3 -S -p %d -c 1 %s' % (port, server))

			




	
	
	
		
 
                ping = host.run('hping3 -S -p %s -c 1 %s', str(port), server)

			




	
	
	
		
 
                assert ping.rc == 0

			




        

    


    
    

    

        

                

                    roles/wsgi_website/molecule/default/tests/test_default.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -291,7 +291,7 @@ def test_python_virtualenv_wrapper_script(host, wrapper_script, expected_owner,

			




	
	
	
		
 
        assert wrapper.group == expected_group

			




	
	
	
		
 
        assert wrapper.mode == 0o750

			




	
	
	
		
 

			




	
	
	
		
 
        command = host.run("sudo -u %s %s python -c 'import gunicorn'" % (expected_owner, wrapper_script))

			




	
	
	
		
 
        command = host.run("sudo -u %s %s python -c 'import gunicorn'", expected_owner, wrapper_script)

			




	
	
	
		
 
        assert command.rc == 0

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
		
 
@@ -333,7 +333,7 @@ def test_virtualenv_packages(host, admin_user, pip_path, expected_packages):

			




	
	
	
		
 
    Tests if correct packages are installed in virtualenv.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    packages = host.run("sudo -u %s %s freeze" % (admin_user, pip_path))

			




	
	
	
		
 
    packages = host.run("sudo -u %s %s freeze", admin_user, pip_path)

			




	
	
	
		
 

			




	
	
	
		
 
    # Normalise package names and order.

			




	
	
	
		
 
    expected_packages = sorted([p.lower() for p in expected_packages])

			




        

    


    
    

    

        

                

                    roles/xmpp_server/molecule/default/tests/test_client.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -19,7 +19,7 @@ def test_connectivity(host):

			




	
	
	
		
 
            # c2s plaintext, c2s TLS, file proxy, s2s.

			




	
	
	
		
 
            for port in [5222, 5223, 5000, 5269]:

			




	
	
	
		
 

			




	
	
	
		
 
                ping = host.run('hping3 -S -p %d -c 1 %s' % (port, server))

			




	
	
	
		
 
                ping = host.run('hping3 -S -p %s -c 1 %s', str(port), server)

			




	
	
	
		
 
                assert ping.rc == 0

			




	
	
	
		
 

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.