MCollective provides extensive input data validation to prevent attacks and injections into your agents preventing attack vectors like Shell Injection Attacks.
Traditionally we shipped a number of pre-made validator plugins that could be used in agents and DDL files but you were not capable fo adding your own easily.
As of version 2.2.0 you can write new Validator plugins that allow you to extend the DDL and Agent validation methods.
We’ll write a new validator plugin that can validate a string matches valid Exim message IDs like 1Svk5S-0001AW-I5.
Validator plugins and their DDL files goes in the libdir in the validator directory on both the servers and the clients.
The basic validator plugin that will validate any data against this regular expression can be seen here:
All you need to do is provide a self.validate method that takes 1 argument and do whatever validation you want to do against the input data.
Here we first confirm it is a string and then we do the regular expression match against that. Any Exception that gets raised will result in validation failing.
As with other plugins these plugins need a DDL file, all they support is the metadata section.
You can use the validator in any DDL file, here is a snippet matching an input using the new exim_msgid validator:
Note here we are using our new validator to validate the msgid input.
Agents can also have validation, traditionally this included the normal things like regular expressions but now here you can also use the validator plugins:
Here we’ve extended the basic validate helper of the RPC Agent with our own plugin and used it to validate a specific input.
You can obtain a list of validators using the plugin application:
Note our new exim_msgid plugin appears in this list.