When parsing json from untrusted sources, remove templating tags

2025-07-02 14:40:19 -07:00 · 2014-06-30 15:59:32 -05:00 · 2014-06-30 15:59:32 -05:00 · 8ed6350e65
commit 8ed6350e65
parent eeb597360e
5 changed files with 41 additions and 19 deletions
--- a/lib/ansible/utils/init.py
+++ b/lib/ansible/utils/init.py
@ -313,7 +313,38 @@ def json_loads(data):

    return json.loads(data)

-def parse_json(raw_data):
+def _clean_data(orig_data):
+    ''' remove template tags from a string '''
+    data = orig_data
+    if isinstance(orig_data, basestring):
+        for pattern,replacement in (('{{','{#'), ('}}','#}'), ('{%','{#'), ('%}','#}')):
+            data = data.replace(pattern, replacement)
+    return data
+
+def _clean_data_struct(orig_data):
+    '''
+    walk a complex data structure, and use _clean_data() to
+    remove any template tags that may exist
+    '''
+    if isinstance(orig_data, dict):
+        data = orig_data.copy()
+        for key in data:
+            new_key = _clean_data_struct(key)
+            new_val = _clean_data_struct(data[key])
+            if key != new_key:
+                del data[key]
+            data[new_key] = new_val
+    elif isinstance(orig_data, list):
+        data = orig_data[:]
+        for i in range(0, len(data)):
+            data[i] = _clean_data_struct(data[i])
+    elif isinstance(orig_data, basestring):
+        data = _clean_data(orig_data)
+    else:
+        data = orig_data
+    return data
+
+def parse_json(raw_data, from_remote=False):
    ''' this version for module return data only '''

    orig_data = raw_data
@ -322,7 +353,7 @@ def parse_json(raw_data):
    data = filter_leading_non_json_lines(raw_data)

    try:
-        return json.loads(data)
+        results = json.loads(data)
    except:
        # not JSON, but try "Baby JSON" which allows many of our modules to not
        # require JSON and makes writing modules in bash much simpler
@ -332,7 +363,6 @@ def parse_json(raw_data):
        except:
            print "failed to parse json: "+ data
            raise
-
        for t in tokens:
            if "=" not in t:
                raise errors.AnsibleError("failed to parse: %s" % orig_data)
@ -347,7 +377,11 @@ def parse_json(raw_data):
            results[key] = value
        if len(results.keys()) == 0:
            return { "failed" : True, "parsed" : False, "msg" : orig_data }
-        return results
+
+    if from_remote:
+        results = _clean_data_struct(results)
+
+    return results

 def smush_braces(data):
    ''' smush Jinaj2 braces so unresolved templates like {{ foo }} don't get parsed weird by key=value code '''