Harden root_password class

Prior to this commit there was a possibility that malformed strings could be passed in to the resource. This could lead to unsafe executions on a remote system. The parameters that are susceptible are `install_secret_file`. This commit fixes the above by adding validation to ensure the given values confirm to expectation. `secret_file` is validated with a regular expression that ensures the given value is a valid path.
puppetlabs · Aug 17, 2022 · 66479fb · 66479fb
1 parent 1469fbf
commit 66479fb
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/manifests/server/root_password.pp b/manifests/server/root_password.pp
@@ -19,6 +19,12 @@
   $secret_file = $mysql::server::install_secret_file
   $login_file = $mysql::server::login_file
 
+  # Validate that the given secret_file value is a valid path
+  if $secret_file !~ /^\/(?:.[A-Za-z0-9_-]+\/?+)+(?:.[A-Za-z0-9]+)$/ {
+    $message = "Invalid value provided for parameter install_secret_file. '${secret_file}' is not a valid path."
+    fail($message)
+  }
+
   # New installations of MySQL will configure a default random password for the root user
   # with an expiration. No actions can be performed until this password is changed. The
   # below exec will remove this default password. If the user has supplied a root