majic-ansible-roles Changeset

Changeset - 36d96a3fc472

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 5 years ago 2021-01-13 00:07:32
branko@majic.rs

MAR-163: Ensure host.run is not suspectible to shell injection:

- Use host.run's built-in capability for handling parameter escaping
and insertion.

6 files changed with 9 insertions and 9 deletions:

roles/common/molecule/default/tests/test_default.py

roles/mail_forwarder/molecule/default/tests/test_connectivity_from_client.py

roles/mail_forwarder/molecule/default/tests/test_connectivity_from_relay.py

roles/web_server/molecule/default/tests/test_client.py

roles/wsgi_website/molecule/default/tests/test_default.py

roles/xmpp_server/molecule/default/tests/test_client.py

0 comments (0 inline, 0 general)

roles/common/molecule/default/tests/test_default.py

➞

Show inline comments

 def test_pipreqcheck_virtualenv_packages(host, pip_path, expected_packages):
     """
     Tests if correct packages are installed in virtualenv used for pip
     requirements checks..
     """
-    packages = host.run("sudo -u %s %s freeze --all" % ('pipreqcheck', pip_path))
+    packages = host.run("sudo -u pipreqcheck %s freeze --all", pip_path)
     # Normalise package names and order.
     expected_packages = sorted([p.lower() for p in expected_packages])
     actual_packages = sorted(packages.stdout.lower().strip().split("\n"))
     # This is a dummy distro-provided package ignored by the pip-tools.

roles/mail_forwarder/molecule/default/tests/test_connectivity_from_client.py

➞

Show inline comments

@@ @@ -20,9 +20,9 @@ def test_connectivity_from_client(host, server): @@
     Tests connectivity towards mail forwarder servers from client
     (non-relay). Connectivity should fail for both.
     """
     with host.sudo():
-        ping = host.run('hping3 -S -p 25 -c 1 %s' % server)
+        ping = host.run('hping3 -S -p 25 -c 1 %s', server)
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr

roles/mail_forwarder/molecule/default/tests/test_connectivity_from_relay.py

➞

Show inline comments

@@ @@ -18,13 +18,13 @@ def test_connectivity_from_authorised_relay(host, server): @@
     Tests connectivity towards mail forwarder servers from authorised
     relay.
     """
     with host.sudo():
-        ping = host.run('hping3 -S -p 25 -c 1 %s' % server)
+        ping = host.run('hping3 -S -p 25 -c 1 %s', server)
         assert ping.rc == 0
 @pytest.mark.parametrize("server",
                          sorted(
                              set(ansible_runner.get_hosts('parameters-mandatory')) |
     Tests connectivity towards mail forwarder servers from unauthorised
     relay.
     """
     with host.sudo():
-        ping = host.run('hping3 -S -p 25 -c 1 %s' % server)
+        ping = host.run('hping3 -S -p 25 -c 1 %s', server)
         assert ping.rc != 0
         assert "100% packet loss" in ping.stderr
 @pytest.mark.parametrize("server",
                          ansible_runner.get_hosts('parameters-optional'))
@@ @@ -60,9 +60,9 @@ def test_open_relay(host, server): @@
     """
     Tests if mail forwarder behaves as open relay.
     """
     no_recipients_accepted_error_code = 24
-    send = host.run('swaks --suppress-data --to root@client1 --server %s' % server)
+    send = host.run('swaks --suppress-data --to root@client1 --server %s', server)
     assert send.rc == no_recipients_accepted_error_code
     assert "Relay access denied" in send.stdout

roles/web_server/molecule/default/tests/test_client.py

➞

Show inline comments

@@ @@ -16,8 +16,8 @@ def test_connectivity(host): @@
         for server in ["parameters-mandatory",
                        "parameters-optional"]:
             # HTTP, HTTPS.
             for port in [80, 443]:
-                ping = host.run('hping3 -S -p %d -c 1 %s' % (port, server))
+                ping = host.run('hping3 -S -p %s -c 1 %s', str(port), server)
                 assert ping.rc == 0

roles/wsgi_website/molecule/default/tests/test_default.py

➞

Show inline comments

         wrapper = host.file(wrapper_script)
         assert wrapper.is_file
         assert wrapper.user == expected_owner
         assert wrapper.group == expected_group
         assert wrapper.mode == 0o750
-        command = host.run("sudo -u %s %s python -c 'import gunicorn'" % (expected_owner, wrapper_script))
+        command = host.run("sudo -u %s %s python -c 'import gunicorn'", expected_owner, wrapper_script)
         assert command.rc == 0
 @pytest.mark.parametrize("admin_user, pip_path, expected_packages",  [
     ('admin-parameters-mandatory', '/var/www/parameters-mandatory/virtualenv/bin/pip', [
         "futures==3.3.0",
 ])
 def test_virtualenv_packages(host, admin_user, pip_path, expected_packages):
     """
     Tests if correct packages are installed in virtualenv.
     """
-    packages = host.run("sudo -u %s %s freeze" % (admin_user, pip_path))
+    packages = host.run("sudo -u %s %s freeze", admin_user, pip_path)
     # Normalise package names and order.
     expected_packages = sorted([p.lower() for p in expected_packages])
     actual_packages = sorted(packages.stdout.lower().strip().split("\n"))
     assert actual_packages == expected_packages

roles/xmpp_server/molecule/default/tests/test_client.py

➞

Show inline comments

@@ @@ -16,13 +16,13 @@ def test_connectivity(host): @@
         for server in ["parameters-mandatory",
                        "parameters-optional"]:
             # c2s plaintext, c2s TLS, file proxy, s2s.
             for port in [5222, 5223, 5000, 5269]:
-                ping = host.run('hping3 -S -p %d -c 1 %s' % (port, server))
+                ping = host.run('hping3 -S -p %s -c 1 %s', str(port), server)
                 assert ping.rc == 0
 def test_tls(host):
     """
     Tests if TLS works as expected.

0 comments (0 inline, 0 general)