diff --git a/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb b/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb deleted file mode 100644 index ebdfa32a0..000000000 --- a/acceptance/tests/security/cve-2013-3567_yaml_deserialization_again.rb +++ /dev/null @@ -1,40 +0,0 @@ -test_name "CVE-2013-3567 Arbitrary YAML Deserialization" - -reportdir = create_tmpdir_for_user master, 'yaml_deserialization' - -dangerous_yaml = "--- !ruby/object:Puppet::Transaction::Report { metrics: { resources: !ruby/object:ERB { src: 'exit 0' } }, logs: [], resource_statuses: [], host: '$(puppet master --configprint certname)' }" - -submit_bad_yaml = [ - "curl --tlsv1 -k -X PUT", - "--cacert $(puppet master --configprint cacert)", - "--cert $(puppet master --configprint hostcert)", - "--key $(puppet master --configprint hostprivkey)", - "-H 'Content-Type: text/yaml'", - "-d \"#{dangerous_yaml}\"", - "\"https://#{master}:8140/production/report/$(puppet master --configprint certname)\"" -].join(' ') - -master_opts = { - 'master' => { - 'reportdir' => reportdir, - 'reports' => 'store', - } -} - -# In PE, the master is running as non-root. We need to set the -# reportdir permissions correctly for it. -on master, "chmod 750 #{reportdir}" -if options.is_pe? - on master, "chown pe-puppet:pe-puppet #{reportdir}" -elsif master.is_using_passenger? - on master, "chown puppet:puppet #{reportdir}" -end - -with_puppet_running_on(master, master_opts) do - on master, submit_bad_yaml - on master, "cat #{reportdir}/$(puppet master --configprint certname)/*" do - assert_no_match(/ERB/, stdout, "Improperly propagated ERB object from input into puppet code") - end -end - -on master, "rm -rf #{reportdir}" diff --git a/acceptance/tests/security/cve-2013-3567_yaml_parameter_deserialization.rb b/acceptance/tests/security/cve-2013-3567_yaml_parameter_deserialization.rb deleted file mode 100644 index a2b20e0d7..000000000 --- a/acceptance/tests/security/cve-2013-3567_yaml_parameter_deserialization.rb +++ /dev/null @@ -1,36 +0,0 @@ -test_name "CVE-2013-3567 Arbitrary YAML Query Parameter Deserialization" - -CURL_UNABLE_TO_FETCH_PAGE = 22 - -require 'uri' - -dangerous_yaml = "--- !ruby/object:Puppet::Node::Environment { name: 'manage' }" - -submit_bad_yaml_as_parameter = [ - "curl --tlsv1 -f -s -S -k -X GET", - "--cacert $(puppet master --configprint cacert)", - "--cert $(puppet master --configprint hostcert)", - "--key $(puppet master --configprint hostprivkey)", - "-H 'Accept: yaml'", - "\"https://#{master}:8140/production/file_metadata/modules/testing/tested?links=#{URI.encode(dangerous_yaml)}\"" -].join(' ') - - -modules = master.tmpdir('modules') -apply_manifest_on master, < directory, owner => puppet } --> file { "#{modules}/testing": ensure => directory, owner => puppet } --> file { "#{modules}/testing/files": ensure => directory, owner => puppet } --> file { "#{modules}/testing/files/tested": ensure => file, content => "test", owner => puppet } -MANIFEST - -master_opts = { - 'master' => { - 'modulepath' => modules, - } -} - -with_puppet_running_on(master, master_opts) do - step "Expect the master to reject the request" - on master, submit_bad_yaml_as_parameter, :acceptable_exit_codes => [CURL_UNABLE_TO_FETCH_PAGE] -end