Issue #5481 has been updated by Tom Fine.
First let me point out a workaround:
generate("/bin/sh", "-c", "/usr/bin/uptime | /usr/bin/awk '{print $3}' | cut
-d, -f1")
Second, let me say that this workaround demonstrates that the safety built into
this command is completely and totally worthless right now. However I suspect
that the original attempt at safety was misguided anyway. What's the issue
that we're protecting from? Hackers inserting malicious commands into your
puppet configuration? If hackers can do that, the horse has already left the
barn.
In other words these safety checks are broken on both ends - they are not
needed, and even if they were they don't work.
----------------------------------------
Refactor #5481: generate is too safe
https://projects.puppetlabs.com/issues/5481#change-78161
Author: Garrett Honeycutt
Status: Investigating
Priority: Low
Assignee: Nigel Kersten
Category:
Target version:
Affected Puppet version:
Keywords:
Branch:
The generate[1] function is too safe. We should encourage people to do safe
things and perhaps log warnings when they do not, but we should not keep people
from running commands that _we_ deem to be unsafe.
example code and output
<pre>
$output = generate("/usr/bin/uptime")
notify { "output is $output": }
</pre>
<pre>
# puppet apply rvalue.pp -v
info: Applying configuration version '1291844128'
notice: output is 16:35:28 up 14:35, 3 users, load average: 0.02, 0.01, 0.00
notice: /Stage[main]//Notify[output is 16:35:28 up 14:35, 3 users, load
average: 0.02, 0.01, 0.00
]/message: defined 'message' as 'output is 16:35:28 up 14:35, 3 users, load
average: 0.02, 0.01, 0.00
'
</pre>
I would expect this to work and would like to see it throw a warning, such as
"It is recommended for security purposes that generators only contain
alphanumerics, file separators, and dashes"
<pre>
$output = generate("/usr/bin/uptime | /usr/bin/awk '{print $3}' | cut -d, -f1")
notify { "output is $output": }
</pre>
<pre>
# puppet apply rvalue.pp -v
Generators can only contain alphanumerics, file separators, and dashes at
/etc/puppet/manifests/rvalue.pp:2 on node puppet.puppetlabs.lan
</pre>
[1] - http://docs.puppetlabs.com/references/stable/function.html#generate
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
