fqdn_rotate: Don't use the value itself as part of the random seed
Previously, the random number generator was seeded with the array or string to be rotated in addition to any values specifically provided for seeding. This behavior is potentially insecure in that it allows an attacker who can modify the source data to choose the post-shuffle order.
This commit is contained in:
parent
a383705fdb
commit
601f681787
3 changed files with 3 additions and 7 deletions
|
@ -11,7 +11,7 @@ Rotates an array a random number of times based on a nodes fqdn.
|
||||||
raise(Puppet::ParseError, "fqdn_rotate(): Wrong number of arguments " +
|
raise(Puppet::ParseError, "fqdn_rotate(): Wrong number of arguments " +
|
||||||
"given (#{arguments.size} for 1)") if arguments.size < 1
|
"given (#{arguments.size} for 1)") if arguments.size < 1
|
||||||
|
|
||||||
value = arguments[0]
|
value = arguments.shift
|
||||||
require 'digest/md5'
|
require 'digest/md5'
|
||||||
|
|
||||||
unless value.is_a?(Array) || value.is_a?(String)
|
unless value.is_a?(Array) || value.is_a?(String)
|
||||||
|
|
|
@ -36,7 +36,7 @@ describe 'fqdn_rotate function', :unless => UNSUPPORTED_PLATFORMS.include?(fact(
|
||||||
EOS
|
EOS
|
||||||
|
|
||||||
apply_manifest(pp, :catch_failures => true) do |r|
|
apply_manifest(pp, :catch_failures => true) do |r|
|
||||||
expect(r.stdout).to match(/fqdn_rotate is \["c", "d", "a", "b"\]/)
|
expect(r.stdout).to match(/fqdn_rotate is \["d", "a", "b", "c"\]/)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -5,10 +5,6 @@ describe 'fqdn_rotate' do
|
||||||
it { is_expected.to run.with_params().and_raise_error(Puppet::ParseError, /wrong number of arguments/i) }
|
it { is_expected.to run.with_params().and_raise_error(Puppet::ParseError, /wrong number of arguments/i) }
|
||||||
it { is_expected.to run.with_params(0).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
|
it { is_expected.to run.with_params(0).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
|
||||||
it { is_expected.to run.with_params({}).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
|
it { is_expected.to run.with_params({}).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
|
||||||
it {
|
|
||||||
pending("Current implementation ignores parameters after the first.")
|
|
||||||
is_expected.to run.with_params("one", "two").and_raise_error(Puppet::ParseError)
|
|
||||||
}
|
|
||||||
it { is_expected.to run.with_params('').and_return('') }
|
it { is_expected.to run.with_params('').and_return('') }
|
||||||
it { is_expected.to run.with_params('a').and_return('a') }
|
it { is_expected.to run.with_params('a').and_return('a') }
|
||||||
|
|
||||||
|
@ -38,7 +34,7 @@ describe 'fqdn_rotate' do
|
||||||
|
|
||||||
it "should use the Puppet::Util.deterministic_rand function" do
|
it "should use the Puppet::Util.deterministic_rand function" do
|
||||||
if Puppet::Util.respond_to?(:deterministic_rand)
|
if Puppet::Util.respond_to?(:deterministic_rand)
|
||||||
Puppet::Util.expects(:deterministic_rand).with(113646079810780526294648115052177588845,4)
|
Puppet::Util.expects(:deterministic_rand).with(44489829212339698569024999901561968770,4)
|
||||||
fqdn_rotate("asdf")
|
fqdn_rotate("asdf")
|
||||||
else
|
else
|
||||||
skip 'Puppet::Util#deterministic_rand not available'
|
skip 'Puppet::Util#deterministic_rand not available'
|
||||||
|
|
Loading…
Reference in a new issue