archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[stable-2.5] avoid loading vars on unspecified basedir (cwd) (#42067) (#42139)

Browse Source 
* avoid loading vars on unspecified basedir (cwd)
(cherry picked from commit de0e11c)

Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
pull/42207/head
Toshio Kuratomi 7 years ago committed by Matt Davis
parent f942d71b36
commit 10d6fe6c98
3 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File

2
changelogs/fragments/avoid_cwd_vars.yml
Unescape Escape View File

@ -0,0 +1,2 @@
bugfixes:
- '**Security Fix** - avoid loading host/group vars from cwd when not specifying a playbook or playbook base dir'

8
lib/ansible/cli/__init__.py
Unescape Escape View File

@ -662,7 +662,7 @@ class CLI(with_metaclass(ABCMeta, object)):
ansible_versions[counter] = 0 ansible_versions[counter] = 0
try: try:
ansible_versions[counter] = int(ansible_versions[counter]) ansible_versions[counter] = int(ansible_versions[counter])
except: except Exception:
pass pass
if len(ansible_versions) < 3: if len(ansible_versions) < 3:
for counter in range(len(ansible_versions), 3): for counter in range(len(ansible_versions), 3):
@ -807,6 +807,12 @@ class CLI(with_metaclass(ABCMeta, object)):
# the code, ensuring a consistent view of global variables # the code, ensuring a consistent view of global variables
variable_manager = VariableManager(loader=loader, inventory=inventory) variable_manager = VariableManager(loader=loader, inventory=inventory)
if hasattr(options, 'basedir'):
if options.basedir:
variable_manager.safe_basedir = True
else:
variable_manager.safe_basedir = True
# load vars from cli options # load vars from cli options
variable_manager.extra_vars = load_extra_vars(loader=loader, options=options) variable_manager.extra_vars = load_extra_vars(loader=loader, options=options)
variable_manager.options_vars = load_options_vars(options, CLI.version_info(gitinfo=False)) variable_manager.options_vars = load_options_vars(options, CLI.version_info(gitinfo=False))

5
lib/ansible/vars/manager.py
Unescape Escape View File

@ -90,6 +90,7 @@ class VariableManager:
self._hostvars = None self._hostvars = None
self._omit_token = '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest() self._omit_token = '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest()
self._options_vars = defaultdict(dict) self._options_vars = defaultdict(dict)
self.safe_basedir = False
# bad cache plugin is not fatal error # bad cache plugin is not fatal error
try: try:
@ -110,6 +111,7 @@ class VariableManager:
omit_token=self._omit_token, omit_token=self._omit_token,
options_vars=self._options_vars, options_vars=self._options_vars,
inventory=self._inventory, inventory=self._inventory,
safe_basedir=self.safe_basedir,
) )
return data return data
@ -123,6 +125,7 @@ class VariableManager:
self._omit_token = data.get('omit_token', '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest()) self._omit_token = data.get('omit_token', '__omit_place_holder__%s' % sha1(os.urandom(64)).hexdigest())
self._inventory = data.get('inventory', None) self._inventory = data.get('inventory', None)
self._options_vars = data.get('options_vars', dict()) self._options_vars = data.get('options_vars', dict())
self.safe_basedir = data.get('safe_basedir', False)
@property @property
def extra_vars(self): def extra_vars(self):
@ -183,6 +186,8 @@ class VariableManager:
) )
# default for all cases # default for all cases
basedirs = []
if self.safe_basedir: # avoid adhoc/console loading cwd
basedirs = [self._loader.get_basedir()] basedirs = [self._loader.get_basedir()]
if play: if play:

Write Preview
Loading…
Cancel
Save