[WIP] Add whitelisting for package and service module

When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde · Feb 27, 2020 · 4654829 · 4654829
1 parent 10feb24
commit 4654829
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/changelogs/fragments/67796-package-service-fact_fix.yml b/changelogs/fragments/67796-package-service-fact_fix.yml
@@ -0,0 +1,4 @@
+bugfixes:
+ - >
+ **security issue** Add a whitelist of modules for package and service module
+ when 'use' is not used and engine relies on pkg_mgr and service_mgr facts (CVE-2020-1738).
diff --git a/lib/ansible/plugins/action/package.py b/lib/ansible/plugins/action/package.py
@@ -56,6 +56,12 @@ def run(self, tmp=None, task_vars=None):
  module = facts.get('ansible_facts', {}).get('ansible_pkg_mgr', 'auto')
 
  if module != 'auto':
+ if module not in ['apk', 'apt', 'dnf', 'homebrew', 'installp',
+ 'macports', 'opkg', 'pacman', 'pkg5', 'pkgin',
+ 'pkgng', 'portage', 'sorcery', 'svr4pkg', 'swdepot',
+ 'swupd', 'urpmi', 'xbps', 'yum', 'zypper']:
+ raise AnsibleActionFail('Could not find a module for package manager %s.'
+ 'Try setting the "use" option.' % module)
 
  if module not in self._shared_loader_obj.module_loader:
  raise AnsibleActionFail('Could not find a module for %s.' % module)