Consul RCE vulnerability enable-script-checks

Merge branch 'security-consul-rce' into 'master'

See merge request gitlab-org/security/omnibus-gitlab!368

Changelog: security

Author: Clemens Beck

files/gitlab-config-template/gitlab.rb.template

@@ -3137,7 +3137,8 @@ external_url 'GENERATED_EXTERNAL_URL'
 # consul['configuration'] = {
 #   'client_addr' => nil,
 #   'datacenter' => 'gitlab_consul',
-#   'enable_script_checks' => true,
+#   'enable_script_checks' => false,
+#   'enable_local_script_checks' => true,
 #   'server' => false
 # }
 # consul['services'] = []

files/gitlab-cookbooks/consul/libraries/consul_helper.rb

@@ -15,7 +15,8 @@ def initialize(node)
       'client_addr' => nil,
       'datacenter' => 'gitlab_consul',
       'disable_update_check' => true,
-      'enable_script_checks' => true,
+      'enable_script_checks' => false,
+      'enable_local_script_checks' => true,
       'node_name' => node['consul']['node_name'] || node['fqdn'],
       'rejoin_after_leave' => true,
       'server' => false,

spec/chef/cookbooks/consul/recipes/consul_spec.rb

@@ -103,7 +103,8 @@
         expect(chef_run).to render_file(consul_conf).with_content { |content|
           expect(content).to match(%r{"datacenter":"gitlab_consul"})
           expect(content).to match(%r{"disable_update_check":true})
-          expect(content).to match(%r{"enable_script_checks":true})
+          expect(content).to match(%r{"enable_script_checks":false})
+          expect(content).to match(%r{"enable_local_script_checks":true})
           expect(content).to match(%r{"node_name":"fauxhai.local"})
           expect(content).to match(%r{"rejoin_after_leave":true})
           expect(content).to match(%r{"server":false})