[WIP] Add whitelisting for package and service module

**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde · Feb 27, 2020 · 2dd46e9 · 2dd46e9
1 parent 10feb24
commit 2dd46e9
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/changelogs/fragments/67796-package-service-fact_fix.yml b/changelogs/fragments/67796-package-service-fact_fix.yml
@@ -0,0 +1,4 @@
+bugfixes:
+  - >
+    **security issue** Add a whitelist of modules for package and service module
+    when 'use' is not used and engine relies on pkg_mgr and service_mgr facts (CVE-2020-1738).
diff --git a/lib/ansible/plugins/action/package.py b/lib/ansible/plugins/action/package.py
@@ -56,6 +56,12 @@ def run(self, tmp=None, task_vars=None):
                 module = facts.get('ansible_facts', {}).get('ansible_pkg_mgr', 'auto')
 
             if module != 'auto':
+                if module not in ['apk', 'apt', 'dnf', 'homebrew', 'installp',
+                                  'macports', 'opkg', 'pacman', 'pkg5', 'pkgin',
+                                  'pkgng', 'portage', 'sorcery', 'svr4pkg', 'swdepot',
+                                  'swupd', 'urpmi', 'xbps', 'yum', 'zypper']:
+                    raise AnsibleActionFail('Could not find a module for package manager %s.'
+                                            'Try setting the "use" option.' % module)
 
                 if module not in self._shared_loader_obj.module_loader:
                     raise AnsibleActionFail('Could not find a module for %s.' % module)