[6.16.z] CVE-2024-8553 (#17194)

CVE-2024-8553 (#17091) * CVE-2024-8553, CLI part * CVE-2024-8553, UI part * Minor simplification (cherry picked from commit 3ac153b) Co-authored-by: Lukáš Hellebrandt <[email protected]>
SatelliteQE · Dec 17, 2024 · 9f97ad2 · 9f97ad2
1 parent e5b9c16
commit 9f97ad2
Show file tree

Hide file tree

Showing 2 changed files with 122 additions and 1 deletion.
diff --git a/tests/foreman/cli/test_reporttemplates.py b/tests/foreman/cli/test_reporttemplates.py
@@ -190,6 +190,56 @@ def test_positive_end_to_end_crud_and_list(target_sat):
         target_sat.cli.ReportTemplate.info({'id': tmp_report_template['id']})
 
 
+@pytest.mark.parametrize(
+    'content',
+    [
+        '''<% load_users(joins: "LEFT JOIN hosts ON 1=1", select: 'hosts.name AS login,hosts.id AS id', limit: 100_000).each_record do |h| %>
+<%= h.id %> - <%= h.login %>
+<% end %>
+    ''',
+        '''<% load_users(joins: ["LEFT JOIN hosts ON 1=1"], select: ['hosts.name AS login,hosts.id AS id'],limit: 100_000).each_record do |h| %>
+<%= h.id %> - <%= h.login %>
+<% end %>''',
+    ],
+    ids=['v1', 'v2'],
+)
+@pytest.mark.tier2
+def test_positive_generate_report_check_for_injection(
+    module_target_sat, module_org, module_location, content
+):
+    """Generate a report and check for injection as per CVE-2024-8553
+
+    :id: 1126640e-2eee-4476-aa51-cb473096cbd8
+
+    :setup:
+        0. Create a report template containing an exploit
+
+    :steps:
+        0. hammer report-template generate --id ...
+
+    :expectedresults:
+        Failure with a correct error message
+
+    :CaseImportance: Critical
+    """
+    name = gen_alpha()
+    module_target_sat.cli.ReportTemplate.create(
+        {
+            'name': name,
+            'organization-id': module_org.id,
+            'location-id': module_location.id,
+            'file': content,
+        }
+    )
+
+    with pytest.raises(CLIReturnCodeError) as error:
+        module_target_sat.cli.ReportTemplate.generate({'name': name})
+    assert (
+        "Generating Report template failed for: Value of 'select' passed to load_users must be Symbol or Array of Symbols."
+        in error.value.stderr
+    )
+
+
 @pytest.mark.tier1
 def test_positive_generate_report_nofilter_and_with_filter(module_target_sat):
     """Generate Host Status report without filter and with filter

diff --git a/tests/foreman/ui/test_jobtemplate.py b/tests/foreman/ui/test_jobtemplate.py
@@ -12,7 +12,7 @@
 
 """
 
-from fauxfactory import gen_string
+from fauxfactory import gen_alpha, gen_string
 import pytest
 
 
@@ -204,3 +204,74 @@ def test_positive_end_to_end(session, module_org, module_location, target_sat):
         for name in (template_new_name, template_clone_name):
             session.jobtemplate.delete(name)
             assert not session.jobtemplate.search(name)
+
+
+@pytest.mark.no_containers
+@pytest.mark.rhel_ver_match('8')
+@pytest.mark.parametrize(
+    'content',
+    [
+        '''<% load_users(joins: "LEFT JOIN hosts ON 1=1", select: 'hosts.name AS login,hosts.id AS id', limit: 100_000).each_record do |h| %>
+<%= h.id %> - <%= h.login %>
+<% end %>
+    ''',
+        '''<% load_users(joins: ["LEFT JOIN hosts ON 1=1"], select: ['hosts.name AS login,hosts.id AS id'],limit: 100_000).each_record do |h| %>
+<%= h.id %> - <%= h.login %>
+<% end %>''',
+    ],
+    ids=['v1', 'v2'],
+)
+@pytest.mark.tier2
+def test_positive_preview_template_check_for_injection(
+    module_target_sat, module_org, module_location, rhel_contenthost, module_ak_with_cv, content
+):
+    """Preview a report and check for injection as per CVE-2024-8553
+
+    :id: df7e7913-630b-4235-9464-5a45f1db244b
+
+    :setup:
+        0. Create a report template containing an exploit
+
+    :steps:
+        0. In WebUI, preview a report
+
+    :expectedresults:
+        Failure with a correct error message
+
+    :CaseImportance: Critical
+    """
+    name = gen_alpha()
+    filename = gen_alpha()
+    module_target_sat.execute(f'''cat << EOF > {filename}
+{content}
+EOF
+''')
+    module_target_sat.cli.JobTemplate.create(
+        {
+            'name': name,
+            'organization-id': module_org.id,
+            'location-id': module_location.id,
+            'file': filename,
+            'job-category': 'Commands',
+            'provider-type': 'script',
+        }
+    )
+    rhel_contenthost.register(
+        module_org, module_location, module_ak_with_cv.name, module_target_sat
+    )
+    with module_target_sat.ui_session() as session:
+        session.organization.select(module_org.name)
+        session.location.select(module_location.name)
+        rendered = session.jobtemplate.read(
+            name,
+            editor_view_option='Preview',
+            widget_names=['template.template_editor.editor', 'template.template_editor.error'],
+        )
+    assert (
+        "Problem with previewing the template: error during rendering: Value of 'select' passed to load_users must be Symbol or Array of Symbols. Note that you must save template input changes before you try to preview it."
+        in rendered['template']['template_editor']['error']
+    )
+    assert (
+        "Error during rendering, Return to Editor tab."
+        in rendered['template']['template_editor']['editor']
+    )