Address issues in cve release

- Fix saltstack#57016 - Fix saltstack#57027 - Add tests for exposed methods on AESFuncs and ClearFuncs - Add response validation for patched ClearFuncs.wheel - Add release notes template for 2019.2.5
dwoz · May 6, 2020 · 4517ed3 · 4517ed3
1 parent d234429
commit 4517ed3
Show file tree

Hide file tree

Showing 5 changed files with 119 additions and 3 deletions.
diff --git a/doc/topics/releases/2019.2.5.rst b/doc/topics/releases/2019.2.5.rst
@@ -0,0 +1,5 @@
+===========================
+Salt 2019.2.5 Release Notes
+===========================
+
+Version 2019.2.5 is a bug-fix release for :ref:`2019.2.0 <release-2019-2-0>`.
diff --git a/salt/master.py b/salt/master.py
@@ -1177,9 +1177,9 @@ class AESFuncs(TransportMethods):
         'verify_minion', '_master_tops', '_ext_nodes', '_master_opts',
         '_mine_get', '_mine', '_mine_delete', '_mine_flush', '_file_recv',
         '_pillar', '_minion_event', '_handle_minion_event', '_return',
-        '_syndic_return', '_minion_runner', 'pub_ret', 'minion_pub',
-        'minion_publish', 'revoke_auth', 'run_func', '_serve_file',
-        '_file_find', '_file_hash', '_file_find_and_stat', '_file_list',
+        '_syndic_return', 'minion_runner', 'pub_ret', 'minion_pub',
+        'minion_publish', 'revoke_auth', '_serve_file', '_file_find',
+        '_file_hash', '_file_hash_and_stat', '_file_list',
         '_file_list_emptydirs', '_dir_list', '_symlink_list', '_file_envs',
     )
 

diff --git a/salt/wheel/config.py b/salt/wheel/config.py
@@ -12,6 +12,7 @@
 import salt.config
 import salt.utils.files
 import salt.utils.yaml
+import salt.utils.verify
 
 # Import 3rd-party libs
 from salt.ext import six

diff --git a/tests/integration/master/test_clear_funcs.py b/tests/integration/master/test_clear_funcs.py
@@ -176,6 +176,7 @@ def test_clearfuncs_config(self):
         ret = clear_channel.send(msg, timeout=5)
         assert not os.path.exists(os.path.join(self.conf_dir, 'evil.conf')), \
             'Wrote file via directory traversal'
+        assert ret['data']['return'] == 'Invalid path'
 
 
 class ClearFuncsFileRoots(TestCase):

diff --git a/tests/unit/test_master.py b/tests/unit/test_master.py
@@ -32,6 +32,115 @@ def bang(self):
         assert foo.get_method('bar') is not None
         assert foo.get_method('bang') is None
 
+    def test_aes_funcs_white(self):
+        '''
+        Validate methods exposed on AESFuncs exist and are callable
+        '''
+        opts = salt.config.master_config(None)
+        aes_funcs = salt.master.AESFuncs(opts)
+        for name in aes_funcs.expose_methods:
+            func = getattr(aes_funcs, name, None)
+            assert callable(func)
+
+    def test_aes_funcs_black(self):
+        '''
+        Validate methods on AESFuncs that should not be called remotely
+        '''
+        opts = salt.config.master_config(None)
+        aes_funcs = salt.master.AESFuncs(opts)
+        # Any callable that should not explicitly be allowed should be added
+        # here.
+        blacklist_methods = [
+            '_AESFuncs__setup_fileserver',
+            '_AESFuncs__verify_load',
+            '_AESFuncs__verify_minion',
+            '_AESFuncs__verify_minion_publish',
+            '__class__',
+            '__delattr__',
+            '__dir__',
+            '__eq__',
+            '__format__',
+            '__ge__',
+            '__getattribute__',
+            '__gt__',
+            '__hash__',
+            '__init__',
+            '__init_subclass__',
+            '__le__',
+            '__lt__',
+            '__ne__',
+            '__new__',
+            '__reduce__',
+            '__reduce_ex__',
+            '__repr__',
+            '__setattr__',
+            '__sizeof__',
+            '__str__',
+            '__subclasshook__',
+            'get_method',
+            'run_func',
+
+        ]
+        for name in dir(aes_funcs):
+            if name in aes_funcs.expose_methods:
+                continue
+            if not callable(getattr(aes_funcs, name)):
+                continue
+            assert name in blacklist_methods, name
+
+    def test_clear_funcs_white(self):
+        '''
+        Validate methods exposed on ClearFuncs exist and are callable
+        '''
+        opts = salt.config.master_config(None)
+        clear_funcs = salt.master.ClearFuncs(opts, {})
+        for name in clear_funcs.expose_methods:
+            func = getattr(clear_funcs, name, None)
+            assert callable(func)
+
+    def test_clear_funcs_black(self):
+        '''
+        Validate methods on ClearFuncs that should not be called remotely
+        '''
+        opts = salt.config.master_config(None)
+        clear_funcs = salt.master.ClearFuncs(opts, {})
+        blacklist_methods = [
+            '__class__',
+            '__delattr__',
+            '__dir__',
+            '__eq__',
+            '__format__',
+            '__ge__',
+            '__getattribute__',
+            '__gt__',
+            '__hash__',
+            '__init__',
+            '__init_subclass__',
+            '__le__',
+            '__lt__',
+            '__ne__',
+            '__new__',
+            '__reduce__',
+            '__reduce_ex__',
+            '__repr__',
+            '__setattr__',
+            '__sizeof__',
+            '__str__',
+            '__subclasshook__',
+            '_prep_auth_info',
+            '_prep_jid',
+            '_prep_pub',
+            '_send_pub',
+            '_send_ssh_pub',
+            'get_method',
+        ]
+        for name in dir(clear_funcs):
+            if name in clear_funcs.expose_methods:
+                continue
+            if not callable(getattr(clear_funcs, name)):
+                continue
+            assert name in blacklist_methods, name
+
 
 class ClearFuncsTestCase(TestCase):
     '''