Fixing security issue with lookup returns not tainting the jinja2 environment

CVE-2017-7481 Lookup returns wrap the result in unsafe, however when used through the standard templar engine, this does not result in the jinja2 environment being marked as unsafe as a whole. This means the lookup result looses the unsafe protection and may become simple unicode strings, which can result in bad things being re-templated. This also adds a global lookup param and cfg options for lookups to allow unsafe returns, so users can force the previous (insecure) behavior.
2025-07-22 12:50:22 -07:00 · 2017-05-08 10:37:10 -05:00 · 2017-05-08 10:37:10 -05:00 · ed56f51f18
commit ed56f51f18
parent 6f4f7011f1
4 changed files with 31 additions and 3 deletions
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@ -236,6 +236,7 @@ DEFAULT_INVENTORY_IGNORE  = get_config(p, DEFAULTS, 'inventory_ignore_extensions
                                       ["~", ".orig", ".bak", ".ini", ".cfg", ".retry", ".pyc", ".pyo"], value_type='list')
 DEFAULT_VAR_COMPRESSION_LEVEL = get_config(p, DEFAULTS, 'var_compression_level', 'ANSIBLE_VAR_COMPRESSION_LEVEL', 0, value_type='integer')
 DEFAULT_INTERNAL_POLL_INTERVAL = get_config(p, DEFAULTS, 'internal_poll_interval', None, 0.001, value_type='float')
+DEFAULT_ALLOW_UNSAFE_LOOKUPS = get_config(p, DEFAULTS, 'allow_unsafe_lookups', None, False, value_type='boolean')
 ERROR_ON_MISSING_HANDLER  = get_config(p, DEFAULTS, 'error_on_missing_handler', 'ANSIBLE_ERROR_ON_MISSING_HANDLER', True, value_type='boolean')
 SHOW_CUSTOM_STATS = get_config(p, DEFAULTS, 'show_custom_stats', 'ANSIBLE_SHOW_CUSTOM_STATS', False, value_type='boolean')
 NAMESPACE_FACTS = get_config(p, DEFAULTS, 'restrict_facts_namespace', 'ANSIBLE_RESTRICT_FACTS', False, value_type='boolean')
--- a/lib/ansible/template/init.py
+++ b/lib/ansible/template/init.py
@ -252,6 +252,9 @@ class Templar:
            loader=FileSystemLoader(self._basedir),
        )

+        # the current rendering context under which the templar class is working
+        self.cur_context = None
+
        self.SINGLE_VAR = re.compile(r"^%s\s*(\w*)\s*%s$" % (self.environment.variable_start_string, self.environment.variable_end_string))

        self._clean_regex   = re.compile(r'(?:%s|%s|%s|%s)' % (
@ -574,6 +577,7 @@ class Templar:

        if instance is not None:
            wantlist = kwargs.pop('wantlist', False)
+            allow_unsafe = kwargs.pop('allow_unsafe', C.DEFAULT_ALLOW_UNSAFE_LOOKUPS)

            from ansible.utils.listify import listify_lookup_plugin_terms
            loop_terms = listify_lookup_plugin_terms(terms=args, templar=self, loader=self._loader, fail_on_undefined=True, convert_bare=False)
@ -588,7 +592,8 @@ class Templar:
                                       "original message: %s" % (name, type(e), e))
                ran = None

-            if ran:
+            if ran and not allow_unsafe:
+                from ansible.vars.unsafe_proxy import UnsafeProxy, wrap_var
                if wantlist:
                    ran = wrap_var(ran)
                else:
@ -600,6 +605,8 @@ class Templar:
                        else:
                            ran = wrap_var(ran)

+                if self.cur_context:
+                    self.cur_context.unsafe = True
            return ran
        else:
            raise AnsibleError("lookup plugin (%s) not found" % name)
@ -656,7 +663,7 @@ class Templar:

            jvars = AnsibleJ2Vars(self, t.globals)

-            new_context = t.new_context(jvars, shared=True)
+            self.cur_context = new_context = t.new_context(jvars, shared=True)
            rf = t.root_render_func(new_context)

            try: