Do not allow IDs with null bytes in decoded payloads

2025-04-17 10:10:20 +00:00 · 2017-08-25 14:15:58 -05:00 · 2017-08-25 14:15:58 -05:00 · 0425defe84
commit 0425defe84
parent 31b38f50eb
3 changed files with 25 additions and 0 deletions
--- a/salt/crypt.py
+++ b/salt/crypt.py
@ -548,6 +548,9 @@ class AsyncAuth(object):
                log.warning('SaltReqTimeoutError: {0}'.format(e))
                raise tornado.gen.Return('retry')
            raise SaltClientError('Attempt to authenticate with the salt master failed with timeout error')
+        if not isinstance(payload, dict):
+            log.error('Sign-in attempt failed: %s', payload)
+            raise tornado.gen.Return(False)
        if 'load' in payload:
            if 'ret' in payload['load']:
                if not payload['load']['ret']:
--- a/salt/transport/tcp.py
+++ b/salt/transport/tcp.py
@ -499,6 +499,17 @@ class TCPReqServerChannel(salt.transport.mixins.auth.AESReqServerMixin, salt.tra
                'payload and load must be a dict', header=header))
            raise tornado.gen.Return()

+        try:
+            id_ = payload['load'].get('id', '')
+            if '\0' in id_:
+                log.error('Payload contains an id with a null byte: %s', payload)
+                stream.send(self.serial.dumps('bad load: id contains a null byte'))
+                raise tornado.gen.Return()
+        except TypeError:
+            log.error('Payload contains non-string id: %s', payload)
+            stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
+            raise tornado.gen.Return()
+
        # intercept the "_auth" commands, since the main daemon shouldn't know
        # anything about our key auth
        if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':
--- a/salt/transport/zeromq.py
+++ b/salt/transport/zeromq.py
@ -593,6 +593,17 @@ class ZeroMQReqServerChannel(salt.transport.mixins.auth.AESReqServerMixin, salt.
            stream.send(self.serial.dumps('payload and load must be a dict'))
            raise tornado.gen.Return()

+        try:
+            id_ = payload['load'].get('id', '')
+            if '\0' in id_:
+                log.error('Payload contains an id with a null byte: %s', payload)
+                stream.send(self.serial.dumps('bad load: id contains a null byte'))
+                raise tornado.gen.Return()
+        except TypeError:
+            log.error('Payload contains non-string id: %s', payload)
+            stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
+            raise tornado.gen.Return()
+
        # intercept the "_auth" commands, since the main daemon shouldn't know
        # anything about our key auth
        if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':