ansible/test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml

- name: create test directories
  file:
    path: '{{ remote_tmp_dir }}/dir-traversal/{{ item }}'
    state: directory
  loop:
    - source
    - target
    - roles

- name: create test content
  copy:
    dest: '{{ remote_tmp_dir }}/dir-traversal/source/content.txt'
    content: |
      some content to write

- name: build dangerous dir traversal role
  script:
    chdir: '{{ remote_tmp_dir }}/dir-traversal/source'
    cmd: create-role-archive.py dangerous.tar content.txt {{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt
    executable: '{{ ansible_playbook_python }}'

- name: install dangerous role
  command:
    cmd: ansible-galaxy role install --roles-path '{{ remote_tmp_dir }}/dir-traversal/roles' dangerous.tar
    chdir: '{{ remote_tmp_dir }}/dir-traversal/source'
  ignore_errors: true
  register: galaxy_install_dangerous

- name: check for overwritten file
  stat:
    path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt'
  register: dangerous_overwrite_stat

- name: get overwritten content
  slurp:
    path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt'
  register: dangerous_overwrite_content
  when: dangerous_overwrite_stat.stat.exists

- assert:
    that:
      - dangerous_overwrite_content.content|default('')|b64decode == ''
      - not dangerous_overwrite_stat.stat.exists
      - galaxy_install_dangerous is failed
Prevent roles from using symlinks to overwrite files outside of the installation directory (#81780) * Sanitize linkname during role installs * Add tests * add clog frag 1 year ago			`- name: create test directories`
			`file:`
			`path: '{{ remote_tmp_dir }}/dir-traversal/{{ item }}'`
			`state: directory`
			`loop:`
			`- source`
			`- target`
			`- roles`

			`- name: create test content`
			`copy:`
			`dest: '{{ remote_tmp_dir }}/dir-traversal/source/content.txt'`
			`content: \|`
			`some content to write`

			`- name: build dangerous dir traversal role`
			`script:`
			`chdir: '{{ remote_tmp_dir }}/dir-traversal/source'`
			`cmd: create-role-archive.py dangerous.tar content.txt {{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt`
			`executable: '{{ ansible_playbook_python }}'`

			`- name: install dangerous role`
			`command:`
			`cmd: ansible-galaxy role install --roles-path '{{ remote_tmp_dir }}/dir-traversal/roles' dangerous.tar`
			`chdir: '{{ remote_tmp_dir }}/dir-traversal/source'`
			`ignore_errors: true`
			`register: galaxy_install_dangerous`

			`- name: check for overwritten file`
			`stat:`
			`path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt'`
			`register: dangerous_overwrite_stat`

			`- name: get overwritten content`
			`slurp:`
			`path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt'`
			`register: dangerous_overwrite_content`
			`when: dangerous_overwrite_stat.stat.exists`

			`- assert:`
			`that:`
			`- dangerous_overwrite_content.content\|default('')\|b64decode == ''`
			`- not dangerous_overwrite_stat.stat.exists`
			`- galaxy_install_dangerous is failed`