Safemode doesn't allow to access 'block_pass' on &:present?


#1

Hello,

I am just preparing demo for OSS Europe and I noticed that the bug in
safemode hasn't been fixed in 1.15.6 yet. That's a blocker bug we
should consider fixing in 1.15 series.

Was there a bump of safemode gem or templates? The issue is with:

Katello Kickstart Default template:

LZ

··· -- Later, Lukas @lzap Zapletal

#2

Looks like Katello ships some extra templates?
http://projects.theforeman.org/issues/21406

··· On Fri, Oct 20, 2017 at 2:01 PM, Lukas Zapletal wrote: > Hello, > > I am just preparing demo for OSS Europe and I noticed that the bug in > safemode hasn't been fixed in 1.15.6 yet. That's a blocker bug we > should consider fixing in 1.15 series. > > Was there a bump of safemode gem or templates? The issue is with: > > Katello Kickstart Default template: > https://gist.github.com/lzap/df6c103573dba61cc5bc22d39c6201b6 > > LZ > > -- > Later, > Lukas @lzap Zapletal


Later,
Lukas @lzap Zapletal


#3

It's been like this for a long time. I started to work on unification recently
and I have it in my branch but I need to add a migration for existing Katello
users. There's no need to have separate Katello templates.

Anyway as a workaround, the &: syntax need to be replaced before we unify
them.

··· -- Marek

On pátek 20. října 2017 14:28:59 CEST Lukas Zapletal wrote:

Looks like Katello ships some extra templates?
Bug #21406: Remove to_proc syntax from Katello Kickstart Default - Katello - Foreman

On Fri, Oct 20, 2017 at 2:01 PM, Lukas Zapletal lzap@redhat.com wrote:

Hello,

I am just preparing demo for OSS Europe and I noticed that the bug in
safemode hasn’t been fixed in 1.15.6 yet. That’s a blocker bug we
should consider fixing in 1.15 series.

Was there a bump of safemode gem or templates? The issue is with:

Katello Kickstart Default template:
https://gist.github.com/lzap/df6c103573dba61cc5bc22d39c6201b6

LZ


Later,

Lukas @lzap Zapletal


#4

What do you replace the &: syntax with?
Thanks!


#5

The replacement is very simple. In case you have, for example, the following code:

host.interfaces.each(&:identifier)

all you need to do is repleace it with

host.interfaces.each{|nic| nic.identifier}

(nic here is just an example, you can use any name for the element inside the block)

This enures the shorthand &: can’t be exploited to escape safe mode jail. (Bug #20271: Safe mode rendering does not correctly prevent using symbol to proc calls - Foreman contains further details)


#6

Thanks!
This is the code I am trying to fix:
–nameserver=#{[subnet.dns_primary, subnet.dns_secondary].select(&:present?).join(’,’)}"


#7
–nameserver=#{[subnet.dns_primary, subnet.dns_secondary].select{|dns| dns.present?}.join(’,’)}"

should do it


#8

Thanks!
the dash dash kind of showed up as a single dash.
I changed from:
select(&:present?)
to:
select{|dns| dns.present?}
and it worked!
Thanks again!