Project

General

Profile

Actions

Bug #19457

closed

Enforce stricter restriction on authorized node id and hostname

Added by Alexis Mousset over 3 years ago. Updated about 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Very Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

Currently the webapp allows anything in the [a-zA-Z0-9\-] range (which includes things like --insecure while on agent side the inventory check script is much stricter and checks for:

($uuid ne "root" \&\& $uuid !~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i))

As this check is already present at inventory creation, we can apply it pretty safely on the webapp side, or a at least prevent dash as first char.

This would avoid option injection in commands using node id as argument.

For hostnames, currently toto " $ <b>tutu</b><script>alert(1);</script> is accepted as a valid hostname.

Given the hostname is used in several places, including command arguments, it could be a good thing to restrict its content to a reasonable char set to prevent various injections.


Related issues 2 (0 open2 closed)

Related to Rudder - Bug #19456: Lack of HTML escaping in nodes listReleasedNicolas CHARLESActions
Has duplicate Rudder - Bug #19458: Validate the hostname fieldRejectedActions
Actions

Also available in: Atom PDF