CVE-2017-7481
Lookup returns wrap the result in unsafe, however when used through the
standard templar engine, this does not result in the jinja2 environment being
marked as unsafe as a whole. This means the lookup result looses the unsafe
protection and may become simple unicode strings, which can result in bad
things being re-templated.
This also adds a global lookup param and cfg options for lookups to allow
unsafe returns, so users can force the previous (insecure) behavior.
The makefile in docs/api/ had a top level check for the
'sphinx-build' tool, but the check was getting triggered
on 'make clean' when it is not needed and causing 'make rpm'
and similar builds to fail.
So this commit removes the check.
Fixes#24163
* Added test for 'RETURN' field in validate-modules
* print the field being tested.
Useful when the RETURN structure is complex.
* Fixed schema after CI traceback fail
* Fixed list_string_types
* Fixed line in 319 code for RETURN
* Big testing doc refactor
* Combine all the testing documentation in to one place to make it easier to find
* Convert everything to RST
* Create testing_network guide
* Create testing landing page
* For each section detail "how to run" and "how to extend testing"
* More examples
* Lots more detail
* Document deprecation of fetch module validate_md5 and update --tags merging deprecation
Update the default of --tags merging config option to merge by default
* Update CHANGELOG.md
Minor edit
This setting allows us to reference jinja2 and python stdlib docs
via docutils refs instead of hardcoding urls.
Fixes#18039
Remove extraneous sphinx config
* Add example task succeeding when RC is non-zero
I added an example on how to use the return code to decide yourself
what is considered a failure.
This might have helped for #23679.
* Use diff as example command, instead of robocopy
* Windows: Add Windows Subsystem for Linux documentation
As discussed during the Windows Working Group meeting we do want
documentation on running Ansible on Windows as it may help grow
the Windows/Ansible community and does work out-of-the-box.
However we do take care to emphasize that WSL is not fit for
production use.
* Update intro_windows.rst
Edits for mechanics and clarity.
The Python3 dev doc is more general than just modules
* Rename it to make that obvious.
* Move generally applicable Python3 information to the Controller section
* Add a Py3/Py2 section on formatting strings
* Fix code-blocks to highlight as python
* Enhance python3 support page
* Add Python3/Python2 compat note
Due to the number of "real world" caveats in the current runas become method, it was agreed that we'd warn that it's experimental on use. A potential future version based on LogonUser/CreateProcessAsUser will have very different requirements and limitations.
* fix 'sequence' lookup shortcut syntax and documentation
* Update playbooks_loops.rst
Minor edits for grammar and clarity.
* Update playbooks_loops.rst
Another tweak for clarity.
* Updated 2.4 roadmap for final publish
* Update ROADMAP_2_4.rst
* Remove "code refactor and unit tests"
This is just technical debt work, and not note-worthy for the roadmap
* Update ROADMAP_2_4.rst
* Update ROADMAP_2_4.rst
* Update module_utils.six to latest
We've been held back on the version of six we could use on the module
side to 1.4.x because of python-2.4 compatibility. Now that our minimum
is Python-2.6, we can update to the latest version of six in
module_utils and get rid of the second copy in lib/ansible/compat.
* cloudstack: fix connection by ENV vars and configs overloading
* cloudstack: pep8 cloudstack module_utils
* cloudstack: allow api_url to be set in ini config
* docsite: explain ENV vars support as written in python-cs for ansible
Changes to the metadata format were approved here:
https://github.com/ansible/proposals/issues/54
* Update documentation to the new metadata format
* Changes to metadata-tool to account for new metadata
* Add GPL license header
* Add upgrade subcommand to upgrade metadata version
* Change default metadata to the new format
* Fix exclusion of non-modules from the metadata report
* Fix ansible-doc for new module metadata
* Exclude metadata version from ansible-doc output
* Fix website docs generation for the new metadata
* Update metadata schema in valiate-modules test
* Update the metadata in all modules to the new version
Raise the bar for module `DOCUMENTAION`
This validator update was used to find the issues in https://github.com/ansible/ansible/pull/22297/files
**Validation**
* Updated Validation and docs to enforce more (items fixed in https://github.com/ansible/ansible/pull/22297/files)
* Use `suboptions` to document complex options
* Validate module name
* Validate deprecated modules have correct ANSIBLE_METADATA
**Module Documentation Generation**
* Document `suboptions:` Example https://gist.github.com/gundalow/4bdc3669d696268328ccc18528cc6718
* Tidy up HTML generation (valid HTML, no empty lists, etc)
**Documentation**
* Clarify the steps for deprecating a module
* Use correct RST headings
* Document `suboptions:` (options)
* Document `contains:` (returns)
**Details**
The aim is to get this (and corresponding module updates) complete by the time `devel` becomes `2.4`, as this allows us to raise the bar for new modules
Example `suboptions` https://gist.github.com/gundalow/4bdc3669d696268328ccc18528cc6718
The aim is to get this PR integrated into `devel` *before* we branch `stable-2.3`, this will allows us to:
* Raise the bar for new modules in 2.4
* Ensure the generated module documentation for 2.3 and higher is improved, important as we will be doing versioned docs moving forward.
The existing examples in the "Gotchas" section were rather simple. Expanded upon those to add some additional clarity around how the quoting in YAML works.
* Added example of referring to AWS-credentials
.. when they're stored in variables. Spent few hours trying to figure out why credentials from vault/variables were not used.
* Update guide_aws.rst
Edited for grammar.
* inventory: test 'all' & 'ungrouped' groups created by default
* Mention default groups 'all' & 'ungrouped'
* Update intro_inventory.rst
Minor grammatical edit.
This commit also adds a new test script (ansible-var-precedence-check.py in code-smell/)
to provide us with another line of defense against precedence bugs going forward.
The precedence docs state that the INI vars have a lower precedence than group/host
vars files for inventory and playbooks, however that has not been the case since 2.0
was released. This change fixes that in one way, though not exactly as the docs say.
The rules are:
1) INI/script < inventory dir < playbook dir
2) "all" group vars < other group_vars < host_vars
So the new order will be (from the test script mentioned above):
8. pb_host_vars_file - var in playbook/host_vars/host
9. ini_host_vars_file - var in inventory/host_vars/host
10. ini_host - host var inside the ini
11. pb_group_vars_file_child - var in playbook/group_vars/child
12. ini_group_vars_file_child - var in inventory/group_vars/child
13. pb_group_vars_file_parent - var in playbook/group_vars/parent
14. ini_group_vars_file_parent - var in inventory/group_vars/parent
15. pb_group_vars_file_all - var in playbook/group_vars/all
16. ini_group_vars_file_all - var in inventory/group_vars/all
17. ini_child - child group var inside the ini
18. ini_parent - parent group var inside the ini
19. ini_all - all group var inside the ini
Fixes#21845