Do not allow IDs with null bytes in decoded payloads

2025-04-17 10:10:20 +00:00 · 2017-08-25 14:15:58 -05:00 · 2017-08-25 14:15:58 -05:00 · c0149101c0
commit c0149101c0
parent 19481423dd
3 changed files with 25 additions and 0 deletions
--- a/salt/crypt.py
+++ b/salt/crypt.py
@ -606,6 +606,9 @@ class AsyncAuth(object):
                raise tornado.gen.Return('retry')
            else:
                raise SaltClientError('Attempt to authenticate with the salt master failed with timeout error')
+        if not isinstance(payload, dict):
+            log.error('Sign-in attempt failed: %s', payload)
+            raise tornado.gen.Return(False)
        if 'load' in payload:
            if 'ret' in payload['load']:
                if not payload['load']['ret']:
--- a/salt/transport/tcp.py
+++ b/salt/transport/tcp.py
@ -623,6 +623,17 @@ class TCPReqServerChannel(salt.transport.mixins.auth.AESReqServerMixin, salt.tra
                    'payload and load must be a dict', header=header))
                raise tornado.gen.Return()

+            try:
+                id_ = payload['load'].get('id', '')
+                if '\0' in id_:
+                    log.error('Payload contains an id with a null byte: %s', payload)
+                    stream.send(self.serial.dumps('bad load: id contains a null byte'))
+                    raise tornado.gen.Return()
+            except TypeError:
+                log.error('Payload contains non-string id: %s', payload)
+                stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
+                raise tornado.gen.Return()
+
            # intercept the "_auth" commands, since the main daemon shouldn't know
            # anything about our key auth
            if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':
--- a/salt/transport/zeromq.py
+++ b/salt/transport/zeromq.py
@ -596,6 +596,17 @@ class ZeroMQReqServerChannel(salt.transport.mixins.auth.AESReqServerMixin, salt.
            stream.send(self.serial.dumps('payload and load must be a dict'))
            raise tornado.gen.Return()

+        try:
+            id_ = payload['load'].get('id', '')
+            if '\0' in id_:
+                log.error('Payload contains an id with a null byte: %s', payload)
+                stream.send(self.serial.dumps('bad load: id contains a null byte'))
+                raise tornado.gen.Return()
+        except TypeError:
+            log.error('Payload contains non-string id: %s', payload)
+            stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
+            raise tornado.gen.Return()
+
        # intercept the "_auth" commands, since the main daemon shouldn't know
        # anything about our key auth
        if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':