From 932abc0711f05b6f91af1dfce0061c848e4165a0 Mon Sep 17 00:00:00 2001 From: Martin Krizek Date: Fri, 5 May 2023 16:18:35 +0200 Subject: [PATCH] Prevent setting arbitrary attrs on Jinja2 envs via overrides (#80715) --- changelogs/fragments/no-arbitrary-j2-override.yml | 2 ++ lib/ansible/template/__init__.py | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/no-arbitrary-j2-override.yml diff --git a/changelogs/fragments/no-arbitrary-j2-override.yml b/changelogs/fragments/no-arbitrary-j2-override.yml new file mode 100644 index 00000000000..c2fcf1c565f --- /dev/null +++ b/changelogs/fragments/no-arbitrary-j2-override.yml @@ -0,0 +1,2 @@ +bugfixes: + - templating - prevent setting arbitrary attributes on Jinja2 environments via Jinja2 overrides in templates diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py index f08cfcebb7e..f389b169390 100644 --- a/lib/ansible/template/__init__.py +++ b/lib/ansible/template/__init__.py @@ -932,7 +932,10 @@ class Templar: " Did you use something different from colon as key-value separator?" % pair.strip()) (key, val) = pair.split(':', 1) key = key.strip() - setattr(myenv, key, ast.literal_eval(val.strip())) + if hasattr(myenv, key): + setattr(myenv, key, ast.literal_eval(val.strip())) + else: + display.warning(f"Could not find Jinja2 environment setting to override: '{key}'") if escape_backslashes: # Allow users to specify backslashes in playbooks as "\\" instead of as "\\\\".