diff options
| author | Eli Young <elyscape@gmail.com> | 2015-05-28 18:15:05 -0700 |
|---|---|---|
| committer | Eli Young <elyscape@gmail.com> | 2015-06-01 16:19:07 -0700 |
| commit | 601f681787c8d6c02bb3566b8cefde289377be0e (patch) | |
| tree | 1f6ce54256909aafc643bf89ee2b203a58e70d80 | |
| parent | a383705fdb133978e53503b7e01012367fac139d (diff) | |
| download | puppet-stdlib-601f681787c8d6c02bb3566b8cefde289377be0e.tar.gz puppet-stdlib-601f681787c8d6c02bb3566b8cefde289377be0e.tar.bz2 | |
fqdn_rotate: Don't use the value itself as part of the random seed
Previously, the random number generator was seeded with the array or
string to be rotated in addition to any values specifically provided for
seeding. This behavior is potentially insecure in that it allows an
attacker who can modify the source data to choose the post-shuffle
order.
| -rw-r--r-- | lib/puppet/parser/functions/fqdn_rotate.rb | 2 | ||||
| -rwxr-xr-x | spec/acceptance/fqdn_rotate_spec.rb | 2 | ||||
| -rwxr-xr-x | spec/functions/fqdn_rotate_spec.rb | 6 |
3 files changed, 3 insertions, 7 deletions
diff --git a/lib/puppet/parser/functions/fqdn_rotate.rb b/lib/puppet/parser/functions/fqdn_rotate.rb index d9741a0..e1a50e6 100644 --- a/lib/puppet/parser/functions/fqdn_rotate.rb +++ b/lib/puppet/parser/functions/fqdn_rotate.rb @@ -11,7 +11,7 @@ Rotates an array a random number of times based on a nodes fqdn. raise(Puppet::ParseError, "fqdn_rotate(): Wrong number of arguments " + "given (#{arguments.size} for 1)") if arguments.size < 1 - value = arguments[0] + value = arguments.shift require 'digest/md5' unless value.is_a?(Array) || value.is_a?(String) diff --git a/spec/acceptance/fqdn_rotate_spec.rb b/spec/acceptance/fqdn_rotate_spec.rb index 753068b..366d027 100755 --- a/spec/acceptance/fqdn_rotate_spec.rb +++ b/spec/acceptance/fqdn_rotate_spec.rb @@ -36,7 +36,7 @@ describe 'fqdn_rotate function', :unless => UNSUPPORTED_PLATFORMS.include?(fact( EOS apply_manifest(pp, :catch_failures => true) do |r| - expect(r.stdout).to match(/fqdn_rotate is \["c", "d", "a", "b"\]/) + expect(r.stdout).to match(/fqdn_rotate is \["d", "a", "b", "c"\]/) end end end diff --git a/spec/functions/fqdn_rotate_spec.rb b/spec/functions/fqdn_rotate_spec.rb index fe54490..6c76781 100755 --- a/spec/functions/fqdn_rotate_spec.rb +++ b/spec/functions/fqdn_rotate_spec.rb @@ -5,10 +5,6 @@ describe 'fqdn_rotate' do it { is_expected.to run.with_params().and_raise_error(Puppet::ParseError, /wrong number of arguments/i) } it { is_expected.to run.with_params(0).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) } it { is_expected.to run.with_params({}).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) } - it { - pending("Current implementation ignores parameters after the first.") - is_expected.to run.with_params("one", "two").and_raise_error(Puppet::ParseError) - } it { is_expected.to run.with_params('').and_return('') } it { is_expected.to run.with_params('a').and_return('a') } @@ -38,7 +34,7 @@ describe 'fqdn_rotate' do it "should use the Puppet::Util.deterministic_rand function" do if Puppet::Util.respond_to?(:deterministic_rand) - Puppet::Util.expects(:deterministic_rand).with(113646079810780526294648115052177588845,4) + Puppet::Util.expects(:deterministic_rand).with(44489829212339698569024999901561968770,4) fqdn_rotate("asdf") else skip 'Puppet::Util#deterministic_rand not available' |