fix unsafe preservation across newlines (#74960) (#74975)

CVE-2021-3583
  ensure we always have unsafe

Co-authored-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 4c8c40fd3d)
pull/75004/head
Brian Coca 4 years ago committed by GitHub
parent 67d2d13997
commit 8aa850e357
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1,2 @@
security_fixes:
- templating engine fix for not preserving usnafe status when trying to preserve newlines. CVE-2021-3583

@ -1064,7 +1064,8 @@ class Templar:
try: try:
res = j2_concat(rf) res = j2_concat(rf)
if getattr(new_context, 'unsafe', False): unsafe = getattr(new_context, 'unsafe', False)
if unsafe:
res = wrap_var(res) res = wrap_var(res)
except TypeError as te: except TypeError as te:
if 'AnsibleUndefined' in to_native(te): if 'AnsibleUndefined' in to_native(te):
@ -1094,6 +1095,8 @@ class Templar:
res_newlines = _count_newlines_from_end(res) res_newlines = _count_newlines_from_end(res)
if data_newlines > res_newlines: if data_newlines > res_newlines:
res += self.environment.newline_sequence * (data_newlines - res_newlines) res += self.environment.newline_sequence * (data_newlines - res_newlines)
if unsafe:
res = wrap_var(res)
return res return res
except (UndefinedError, AnsibleUndefinedVariable) as e: except (UndefinedError, AnsibleUndefinedVariable) as e:
if fail_on_undefined: if fail_on_undefined:

@ -34,3 +34,7 @@ ansible-playbook 6653.yml -v "$@"
# https://github.com/ansible/ansible/issues/72262 # https://github.com/ansible/ansible/issues/72262
ansible-playbook 72262.yml -v "$@" ansible-playbook 72262.yml -v "$@"
# ensure unsafe is preserved, even with extra newlines
ansible-playbook unsafe.yml -v "$@"

@ -0,0 +1,19 @@
- hosts: localhost
gather_facts: false
vars:
nottemplated: this should not be seen
imunsafe: !unsafe '{{ nottemplated }}'
tasks:
- set_fact:
this_was_unsafe: >
{{ imunsafe }}
- set_fact:
this_always_safe: '{{ imunsafe }}'
- name: ensure nothing was templated
assert:
that:
- this_always_safe == imunsafe
- imunsafe == this_was_unsafe.strip()
Loading…
Cancel
Save