Ensure discovery unsafe (#55295)

* Ensure safe discovery by marking it Unsafe
6 years ago · 24b44e1772
parent de3bd8b791
commit 24b44e1772
2 changed files with 6 additions and 3 deletions
--- a/changelogs/fragments/ensure_discovery_unsafe.yml
+++ b/changelogs/fragments/ensure_discovery_unsafe.yml
@ -0,0 +1,3 @@
+bugfixes:
+    - SECURITY Fixed the python interpreter detection, added in 2.8.0alpha1, to properly mark the returned data as untemplatable.
+      This prevents a malicious managed machine from running code on the controller via templating.
--- a/lib/ansible/plugins/action/init.py
+++ b/lib/ansible/plugins/action/init.py
@ -29,7 +29,7 @@ from ansible.module_utils._text import to_bytes, to_native, to_text
 from ansible.parsing.utils.jsonify import jsonify
 from ansible.release import __version__
 from ansible.utils.display import Display
-from ansible.utils.unsafe_proxy import wrap_var
+from ansible.utils.unsafe_proxy import wrap_var, AnsibleUnsafeText
 from ansible.vars.clean import remove_internal_keys

 display = Display()
@ -203,11 +203,11 @@ class ActionBase(with_metaclass(ABCMeta, object)):
                                                                            environment=final_environment)
                break
            except InterpreterDiscoveryRequiredError as idre:
-                self._discovered_interpreter = discover_interpreter(
+                self._discovered_interpreter = AnsibleUnsafeText(discover_interpreter(
                    action=self,
                    interpreter_name=idre.interpreter_name,
                    discovery_mode=idre.discovery_mode,
-                    task_vars=task_vars)
+                    task_vars=task_vars))

                # update the local task_vars with the discovered interpreter (which might be None);
                # we'll propagate back to the controller in the task result