fqdn_rotate: Don't use the value itself as part of the random seed

elyscape · elyscape · commit 601f681787c8 · 2015-06-01T16:19:07.000-07:00
Previously, the random number generator was seeded with the array or
string to be rotated in addition to any values specifically provided for
seeding. This behavior is potentially insecure in that it allows an
attacker who can modify the source data to choose the post-shuffle
order.
diff --git a/lib/puppet/parser/functions/fqdn_rotate.rb b/lib/puppet/parser/functions/fqdn_rotate.rb
@@ -11,7 +11,7 @@ module Puppet::Parser::Functions
     raise(Puppet::ParseError, "fqdn_rotate(): Wrong number of arguments " +
       "given (#{arguments.size} for 1)") if arguments.size < 1
 
-    value = arguments[0]
+    value = arguments.shift
     require 'digest/md5'
 
     unless value.is_a?(Array) || value.is_a?(String)
diff --git a/spec/acceptance/fqdn_rotate_spec.rb b/spec/acceptance/fqdn_rotate_spec.rb
@@ -36,7 +36,7 @@
       EOS
 
       apply_manifest(pp, :catch_failures => true) do |r|
-        expect(r.stdout).to match(/fqdn_rotate is \["c", "d", "a", "b"\]/)
+        expect(r.stdout).to match(/fqdn_rotate is \["d", "a", "b", "c"\]/)
       end
     end
   end
diff --git a/spec/functions/fqdn_rotate_spec.rb b/spec/functions/fqdn_rotate_spec.rb
@@ -5,10 +5,6 @@
   it { is_expected.to run.with_params().and_raise_error(Puppet::ParseError, /wrong number of arguments/i) }
   it { is_expected.to run.with_params(0).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
   it { is_expected.to run.with_params({}).and_raise_error(Puppet::ParseError, /Requires either array or string to work with/) }
-  it {
-    pending("Current implementation ignores parameters after the first.")
-    is_expected.to run.with_params("one", "two").and_raise_error(Puppet::ParseError)
-  }
   it { is_expected.to run.with_params('').and_return('') }
   it { is_expected.to run.with_params('a').and_return('a') }
 
@@ -38,7 +34,7 @@
 
   it "should use the Puppet::Util.deterministic_rand function" do
     if Puppet::Util.respond_to?(:deterministic_rand)
-      Puppet::Util.expects(:deterministic_rand).with(113646079810780526294648115052177588845,4)
+      Puppet::Util.expects(:deterministic_rand).with(44489829212339698569024999901561968770,4)
       fqdn_rotate("asdf")
     else
       skip 'Puppet::Util#deterministic_rand not available'
