Fixes de-registering datastore options validation#21529
Draft
cgranleese-r7 wants to merge 1 commit into
Draft
Conversation
|
Additional test pipeline started ⌛ |
|
Slice summary: No test slices found. Note: build results only accessible to maintainers. |
cgranleese-r7
force-pushed
the
improve-deregistered-datastore-options-validation
branch
from
7b85389 to
4dab3fc
Compare
|
Additional test pipeline started ⌛ |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses metasploit-framework issue #21319 by preventing options that a module has explicitly deregistered from being written into or read back out of a module’s datastore, and adds RSpec coverage to guard against regressions in common workflows (including shell-to-meterpreter handler/payload datastore sharing).
Changes:
- Add tracking of deregistered option keys inside
Msf::ModuleDataStoreand filter reads/writes for those keys. - Ensure deregistration state is copied alongside datastore state (
copy_state) and cleared when a key is re-registered (import_options). - Add a new spec suite covering direct assignment,
_import_extra_options, framework datastore fallback reads, re-registering previously-deregistered options, andshare_datastoreshell-to-meterpreter patterns.
Impact Analysis:
- Blast radius: high —
Msf::ModuleDataStoreis core infrastructure used broadly across module execution and inter-module workflows. - Data and contract effects: changes datastore semantics for deregistered keys (they should no longer be observable); interactions with datastore merging/sharing/copying are particularly sensitive.
- Rollback and test focus: focus on module invocation from other modules, handler/payload datastore workflows, and any code paths that merge/copy datastores (e.g., console handler flows); rollback should be straightforward (single core file + specs) but correctness should be validated via the full test suite and targeted manual runs mentioned in the PR description.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
lib/msf/core/module_data_store.rb |
Adds deregistered-key tracking and filtering hooks to prevent deregistered options from being set or resolved (including via framework datastore fallback). |
spec/lib/msf/core/module_data_store_filter_spec.rb |
Adds regression specs for deregistered option filtering across assignment/import/fallback/copy/share and re-registering scenarios. |
|
Slice summary:
Note: build results only accessible to maintainers. |
cgranleese-r7
force-pushed
the
improve-deregistered-datastore-options-validation
branch
from
4dab3fc to
dfb1ebb
Compare
cgranleese-r7
force-pushed
the
improve-deregistered-datastore-options-validation
branch
from
dfb1ebb to
184334b
Compare
cgranleese-r7
force-pushed
the
improve-deregistered-datastore-options-validation
branch
from
184334b to
96b43d5
Compare
|
Additional test pipeline started ⌛ |
|
Slice summary:
Note: build results only accessible to maintainers. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses #21319.
The goal here was to address:
This comment calls out some example modules that replicates the issue (thanks for writing those up @zeroSteiner, they were super helpful).
Before
After
Notes
Specs were added so we if the implementation is changed in the future we will know if options start leaking back in. I also added a spec to cover the shell to Meterpreter workflows.
TODO LIST
Verification