Page MenuHomeVyOS Platform

Semicolon in values is interpreted as a part of the shell command by validators
Open, Requires assessmentPublicBUG

Description

This:

# set high-availability vrrp group VLAN3 priority 50;

Results in :

     group VLAN3 {
         interface eth0.3
>        priority "50;"
         virtual-address 10.3.1.1/24
         vrid 3
     }

vs

group VLAN3 {
    interface eth0.3
    priority 50
    virtual-address 10.3.1.1/24
    vrid 3
}

And it successfully commits.

I'm not actually sure if it breaks anything, as keepalived.conf might ignore the extra colon.

Details

Difficulty level
Unknown (require assessment)
Version
1.3
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Stricter validation

Event Timeline

kroy created this task.Dec 23 2019, 5:42 PM
Dmitry added a subscriber: Dmitry.Dec 23 2019, 5:45 PM
dmbaturin renamed this task from VRRP priority not properly checked to Semicolon in values gets past the validator and becomes a part of the value.Thu, Jun 18, 10:56 PM
dmbaturin claimed this task.
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin renamed this task from Semicolon in values gets past the validator and becomes a part of the value to Semicolon in values is interpreted as a part of the shell command by validators.Thu, Jun 18, 11:15 PM
dmbaturin changed Is it a breaking change? from Perfectly compatible to Stricter validation.

This is a much broader issue in fact, and has nothing to do with VRRP! It's also a possible shell injection, though for values coming from local sources it's irrelevant.

The issue is that the value wasn't quoted, see https://github.com/vyos/vyos-1x/blob/crux/src/helpers/validate-value.py#L31
Thus when the command was executed, it was like "${vyos_validators_dir}/numeric --range 1-255 50; and since it's run by system(), the semicolon was intepreted by the shell.
The correct way to run it would be "${vyos_validators_dir}/numeric --range 1-255 '50;' of course.

Oddly, I copied it to the OCaml version from current without noticing the implications! Fixed there: https://github.com/vyos/vyos-utils/commit/3f84c582f966f83d86cf066328eeced4704d63a4

Now I wonder if we should also fix it in Crux, or it's too risky and someone might have came to rely on it.

pasik added a subscriber: pasik.Thu, Jun 25, 8:36 PM