* fixed fetch traversal from slurp
* ignore slurp result for dest
* fixed naming when source is relative
* fixed bug in local connection plugin
* added tests with fake slurp
* moved existing role tests into runme.sh
* normalized on action excepts
* moved dest transform down to when needed
* added is_subpath check
* fixed bug in local connection
fixes#67793
CVE-2019-3828
(cherry picked from commit ba87c225cd)
* when possible, use filedescriptors from mkstemp to avoid race
* when using path strings, ensure we are always creating the file
CVE-2020-1740
Fixes#67798
Co-authored-by: samdoran
(cherry picked from commit 28f9fbdb5e)
* Remove the params module option from ldap_attr and ldap_entry
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.
Fixes CVE-2020-1746
(cherry picked from commit 0ff609f1bc)
* Fix formatting for option names
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Fix fail_json
* update sanity
* fix indentation error
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* prevent ansible_facts injection (#68431)
- also only replace when needed
- switched from replace to index
- added test to verify bogus_facts are not accepted
CVE-2020-10684
(cherry picked from commit a9d2ceafe4)
* add to ignore
* fix vault tmpe file handling
* use local temp dir instead of system temp
* ensure each worker clears dataloader temp files
* added test for dangling temp files
* added notes to data loader
CVE-2020-10685
(cherry picked from commit 6452a82452)
* subversion module - provide password securely when possible or warn (#67829)
* subversion module - provide password securely with svn command line option --password-from-stdin when possible, and provide a warning otherwise.
* Update lib/ansible/modules/source_control/subversion.py.
* Add a test.
Co-authored-by: Sam Doran <sdoran@redhat.com>
(cherry picked from commit d91658ec0c)
* Create the OUTPUT_DIR and make sure it is removed at the end
* fix sanity test
* win_unzip - normalize and compare paths to prevent path traversal (#67799)
* Actually inspect the paths and prevent escape
* Add integration tests
* Generate zip files for use in integration test
* Adjust error message
(cherry picked from commit d30c57ab22)
* Fix tests for 2.7
* Update tests to use RHEL 7.8.
Keeping support for RHEL 7.6 since collections are still using it.
* Fix tests for RHEL 7.7+ due to extras repo name change..
(cherry picked from commit 04edd77c42)
Co-authored-by: Matt Clay <mclay@redhat.com>
* add changelog fragment
Signed-off-by: Rick Elrod <rick@elrod.me>
* Update changelogs/fragments/ansible-test-opensuse-15.1.yml
Co-Authored-By: Matt Clay <matt@mystile.com>
* handle installing mysql on suse
Signed-off-by: Rick Elrod <rick@elrod.me>
* attempt to get tests passing again
Signed-off-by: Rick Elrod <rick@elrod.me>
* Update docker.txt to use the OpenSUSE 15.1 container image
Signed-off-by: Rick Elrod <rick@elrod.me>
Co-authored-by: Matt Clay <matt@mystile.com>
* Remove Tower module tests from CI.
The required AMIs are no longer available.
* Mark Tower tests as unsupported..
(cherry picked from commit b041d96762)
Co-authored-by: Matt Clay <mclay@redhat.com>
* ansible-test - add constraint for virtualenv
* Limit virtualenv only on macOS.
Co-authored-by: Matt Clay <matt@mystile.com>.
(cherry picked from commit 8f296a6533)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Add constraint for Jinja2 on Python 2.6.
* Fix constraint in inventory_aws_conformance test.
* Add constrraints for template_jinja2_latest test..
(cherry picked from commit 965854fbd2)
Co-authored-by: Matt Clay <matt@mystile.com>
* Add test constraint for setuptools.
* Update pip test to work on centos6 container..
(cherry picked from commit 51e5b714e0)
Co-authored-by: Matt Clay <matt@mystile.com>
* Fix nxos_file_copy option value path validation
* Modify `local_file`, `local_file_directory` and
`remote_file` option type from `str` to `path`
so that the option value is validated in Ansible
for a legitimate path value
* Fix review comments
(cherry picked from commit 88008badb1)
CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that.
However, there is no user input validation done while performing actions.
A malicious user could provide a crafted zone name which allows executing commands
into the server manipulating the module behaviour.
Adding user input validation as per Solaris Zone documentation fixes this issue.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* docs: update to latest 3 versions (#64109)
(cherry picked from commit 409545825f)
* [Doc-Release-2.9] update release and maintenance page for 2.9 (#64166)
* update release and maintenance page for 2.9
* only 2.4 and earlier used the old changelog system
(cherry picked from commit 3f808d9ed6)
* [stable-2.7] Wrap CLI passwords as AnsibleUnsafeText (#63352)
* isa string should rewrap as unsafe in get_validated_value
* _is_unsafe shouldn't be concerned with underlying types
* Start with passwords as text, instead of bytes
* Remove unused imports
* Add changelog fragment
* Update changelog with CVE.
(cherry picked from commit baeff7462d)
Co-authored-by: Matt Martz <matt@sivel.net>
* Update tests
This new script does not depend on ansible-test and provides much more robust job matrix testing.
It is also run on every job in the matrix now, to detect issues with jobs being re-run after matrix changes are made.
(cherry picked from commit d3da8e4a5b)
This avoids displaying the credentials in CI when retrying tests at maximum verbosity.
(cherry picked from commit b73e772)
Co-authored-by: Matt Clay <matt@mystile.com>
Brian Coca