Page MenuHomeVyOS Platform
Create Task
Maniphest T1901

Semicolon in values is interpreted as a part of the shell command by validators
Closed, ResolvedPublicBUG
Actions

Description

This:

# set high-availability vrrp group VLAN3 priority 50;

Results in :

     group VLAN3 {
         interface eth0.3
>        priority "50;"
         virtual-address 10.3.1.1/24
         vrid 3
     }

vs

group VLAN3 {
    interface eth0.3
    priority 50
    virtual-address 10.3.1.1/24
    vrid 3
}

And it successfully commits.

I'm not actually sure if it breaks anything, as keepalived.conf might ignore the extra colon.

Details

Version
1.3
Is it a breaking change?
Stricter validation

Event Timeline

kroy created this task.Dec 23 2019, 5:42 PM
Unknown Object (User) subscribed.Dec 23 2019, 5:45 PM
dmbaturin renamed this task from VRRP priority not properly checked to Semicolon in values gets past the validator and becomes a part of the value.Jun 18 2020, 10:56 PM
dmbaturin claimed this task.
dmbaturin edited a custom field.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin renamed this task from Semicolon in values gets past the validator and becomes a part of the value to Semicolon in values is interpreted as a part of the shell command by validators.Jun 18 2020, 11:15 PM
dmbaturin changed Is it a breaking change? from Perfectly compatible to Stricter validation.
dmbaturin added a comment.Jun 18 2020, 11:23 PM

This is a much broader issue in fact, and has nothing to do with VRRP! It's also a possible shell injection, though for values coming from local sources it's irrelevant.

The issue is that the value wasn't quoted, see https://github.com/vyos/vyos-1x/blob/crux/src/helpers/validate-value.py#L31
Thus when the command was executed, it was like "${vyos_validators_dir}/numeric --range 1-255 50; and since it's run by system(), the semicolon was intepreted by the shell.
The correct way to run it would be "${vyos_validators_dir}/numeric --range 1-255 '50;' of course.

Oddly, I copied it to the OCaml version from current without noticing the implications! Fixed there: https://github.com/vyos/vyos-utils/commit/3f84c582f966f83d86cf066328eeced4704d63a4

Now I wonder if we should also fix it in Crux, or it's too risky and someone might have came to rely on it.

dmbaturin added a project: VyOS 1.2 Crux (VyOS 1.2.6).Jun 25 2020, 3:30 PM
pasik subscribed.Jun 25 2020, 8:36 PM
dmbaturin added a comment.Jul 26 2020, 11:14 AM

Accidentally committed a crux fix with https://github.com/vyos/vyos-1x/commit/920d87447ca479c311102260e5816ec0f5268a9b

Sorry about that.

dmbaturin closed this task as Resolved.Jul 26 2020, 11:15 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 3 2020, 3:30 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.6) board.Sep 9 2020, 5:24 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.