ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-27 07:01:22 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

avoid loading vars on unspecified basedir (cwd) (#42067)

Browse source 
* avoid loading vars on unspecified basedir (cwd)
This commit is contained in:
Brian Coca 2018-06-29 19:45:38 -04:00 committed by Toshio Kuratomi
commit de0e11c0d5
3 changed files with 15 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/avoid_cwd_vars.yml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- '**Security Fix** - avoid loading host/group vars from cwd when not specifying a playbook or playbook base dir'

8
lib/ansible/cli/__init__.py
View file

@ -664,7 +664,7 @@ class CLI(with_metaclass(ABCMeta, object)):
ansible_versions[counter] = 0 ansible_versions[counter] = 0
try: try:
ansible_versions[counter] = int(ansible_versions[counter]) ansible_versions[counter] = int(ansible_versions[counter])
except: except Exception:
pass pass
if len(ansible_versions) < 3: if len(ansible_versions) < 3:
for counter in range(len(ansible_versions), 3): for counter in range(len(ansible_versions), 3):
@ -809,6 +809,12 @@ class CLI(with_metaclass(ABCMeta, object)):
# the code, ensuring a consistent view of global variables # the code, ensuring a consistent view of global variables
variable_manager = VariableManager(loader=loader, inventory=inventory) variable_manager = VariableManager(loader=loader, inventory=inventory)
if hasattr(options, 'basedir'):
if options.basedir:
variable_manager.safe_basedir = True
else:
variable_manager.safe_basedir = True
# load vars from cli options # load vars from cli options
variable_manager.extra_vars = load_extra_vars(loader=loader, options=options) variable_manager.extra_vars = load_extra_vars(loader=loader, options=options)
variable_manager.options_vars = load_options_vars(options, CLI.version_info(gitinfo=False)) variable_manager.options_vars = load_options_vars(options, CLI.version_info(gitinfo=False))

7
lib/ansible/vars/manager.py
View file

@ -90,6 +90,7 @@ class VariableManager:
self._hostvars = None self._hostvars = None
self._omit_token = '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest() self._omit_token = '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest()
self._options_vars = defaultdict(dict) self._options_vars = defaultdict(dict)
self.safe_basedir = False
# bad cache plugin is not fatal error # bad cache plugin is not fatal error
try: try:
@ -110,6 +111,7 @@ class VariableManager:
omit_token=self._omit_token, omit_token=self._omit_token,
options_vars=self._options_vars, options_vars=self._options_vars,
inventory=self._inventory, inventory=self._inventory,
safe_basedir=self.safe_basedir,
) )
return data return data
@ -123,6 +125,7 @@ class VariableManager:
self._omit_token = data.get('omit_token', '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest()) self._omit_token = data.get('omit_token', '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest())
self._inventory = data.get('inventory', None) self._inventory = data.get('inventory', None)
self._options_vars = data.get('options_vars', dict()) self._options_vars = data.get('options_vars', dict())
self.safe_basedir = data.get('safe_basedir', False)
@property @property
def extra_vars(self): def extra_vars(self):
@ -183,7 +186,9 @@ class VariableManager:
) )
# default for all cases # default for all cases
basedirs = [self._loader.get_basedir()] basedirs = []
if self.safe_basedir: # avoid adhoc/console loading cwd
basedirs = [self._loader.get_basedir()]
if play: if play:
# first we compile any vars specified in defaults/main.yml # first we compile any vars specified in defaults/main.yml