Page MenuHomeVyOS Platform
Create Task
Maniphest T1901

Semicolon in values is interpreted as a part of the shell command by validators
Closed, ResolvedPublicBUG
Actions

Description

This:

# set high-availability vrrp group VLAN3 priority 50;

Results in :

     group VLAN3 {
         interface eth0.3
>        priority "50;"
         virtual-address 10.3.1.1/24
         vrid 3
     }

vs

group VLAN3 {
    interface eth0.3
    priority 50
    virtual-address 10.3.1.1/24
    vrid 3
}

And it successfully commits.

I'm not actually sure if it breaks anything, as keepalived.conf might ignore the extra colon.

Details

Difficulty level
Unknown (require assessment)
Version
1.3
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Stricter validation

Event Timeline

kroy created this task.Dec 23 2019, 5:42 PM
Unknown Object (User) added a subscriber: Unknown Object (User).Dec 23 2019, 5:45 PM
dmbaturin renamed this task from VRRP priority not properly checked to Semicolon in values gets past the validator and becomes a part of the value.Jun 18 2020, 10:56 PM
dmbaturin claimed this task.
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin renamed this task from Semicolon in values gets past the validator and becomes a part of the value to Semicolon in values is interpreted as a part of the shell command by validators.Jun 18 2020, 11:15 PM
dmbaturin changed Is it a breaking change? from Perfectly compatible to Stricter validation.
dmbaturin added a comment.Jun 18 2020, 11:23 PM

This is a much broader issue in fact, and has nothing to do with VRRP! It's also a possible shell injection, though for values coming from local sources it's irrelevant.

The issue is that the value wasn't quoted, see https://github.com/vyos/vyos-1x/blob/crux/src/helpers/validate-value.py#L31
Thus when the command was executed, it was like "${vyos_validators_dir}/numeric --range 1-255 50; and since it's run by system(), the semicolon was intepreted by the shell.
The correct way to run it would be "${vyos_validators_dir}/numeric --range 1-255 '50;' of course.

Oddly, I copied it to the OCaml version from current without noticing the implications! Fixed there: https://github.com/vyos/vyos-utils/commit/3f84c582f966f83d86cf066328eeced4704d63a4

Now I wonder if we should also fix it in Crux, or it's too risky and someone might have came to rely on it.

dmbaturin added a project: VyOS 1.2 Crux (VyOS 1.2.6).Jun 25 2020, 3:30 PM
pasik added a subscriber: pasik.Jun 25 2020, 8:36 PM
dmbaturin added a comment.Jul 26 2020, 11:14 AM

Accidentally committed a crux fix with https://github.com/vyos/vyos-1x/commit/920d87447ca479c311102260e5816ec0f5268a9b

Sorry about that.

dmbaturin closed this task as Resolved.Jul 26 2020, 11:15 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 3 2020, 3:30 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.6) board.Sep 9 2020, 5:24 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.