* fixed fetch traversal from slurp
* ignore slurp result for dest
* fixed naming when source is relative
* fixed bug in local connection plugin
* added tests with fake slurp
* moved existing role tests into runme.sh
* normalized on action excepts
* moved dest transform down to when needed
* added is_subpath check
* fixed bug in local connection
fixes#67793
CVE-2019-3828
(cherry picked from commit ba87c225cd)
* Remove the params module option from ldap_attr and ldap_entry
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.
Fixes CVE-2020-1746
(cherry picked from commit 0ff609f1bc)
* Fix formatting for option names
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Fix fail_json
* update sanity
* fix indentation error
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* prevent ansible_facts injection (#68431)
- also only replace when needed
- switched from replace to index
- added test to verify bogus_facts are not accepted
CVE-2020-10684
(cherry picked from commit a9d2ceafe4)
* add to ignore
* fix vault tmpe file handling
* use local temp dir instead of system temp
* ensure each worker clears dataloader temp files
* added test for dangling temp files
* added notes to data loader
CVE-2020-10685
(cherry picked from commit 6452a82452)
* subversion module - provide password securely when possible or warn (#67829)
* subversion module - provide password securely with svn command line option --password-from-stdin when possible, and provide a warning otherwise.
* Update lib/ansible/modules/source_control/subversion.py.
* Add a test.
Co-authored-by: Sam Doran <sdoran@redhat.com>
(cherry picked from commit d91658ec0c)
* Create the OUTPUT_DIR and make sure it is removed at the end
* fix sanity test
* win_unzip - normalize and compare paths to prevent path traversal (#67799)
* Actually inspect the paths and prevent escape
* Add integration tests
* Generate zip files for use in integration test
* Adjust error message
(cherry picked from commit d30c57ab22)
* Fix tests for 2.7
* Update tests to use RHEL 7.8.
Keeping support for RHEL 7.6 since collections are still using it.
* Fix tests for RHEL 7.7+ due to extras repo name change..
(cherry picked from commit 04edd77c42)
Co-authored-by: Matt Clay <mclay@redhat.com>
* add changelog fragment
Signed-off-by: Rick Elrod <rick@elrod.me>
* Update changelogs/fragments/ansible-test-opensuse-15.1.yml
Co-Authored-By: Matt Clay <matt@mystile.com>
* handle installing mysql on suse
Signed-off-by: Rick Elrod <rick@elrod.me>
* attempt to get tests passing again
Signed-off-by: Rick Elrod <rick@elrod.me>
* Update docker.txt to use the OpenSUSE 15.1 container image
Signed-off-by: Rick Elrod <rick@elrod.me>
Co-authored-by: Matt Clay <matt@mystile.com>
* Remove Tower module tests from CI.
The required AMIs are no longer available.
* Mark Tower tests as unsupported..
(cherry picked from commit b041d96762)
Co-authored-by: Matt Clay <mclay@redhat.com>
* ansible-test - add constraint for virtualenv
* Limit virtualenv only on macOS.
Co-authored-by: Matt Clay <matt@mystile.com>.
(cherry picked from commit 8f296a6533)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Add constraint for Jinja2 on Python 2.6.
* Fix constraint in inventory_aws_conformance test.
* Add constrraints for template_jinja2_latest test..
(cherry picked from commit 965854fbd2)
Co-authored-by: Matt Clay <matt@mystile.com>
* Add test constraint for setuptools.
* Update pip test to work on centos6 container..
(cherry picked from commit 51e5b714e0)
Co-authored-by: Matt Clay <matt@mystile.com>
* [stable-2.7] Wrap CLI passwords as AnsibleUnsafeText (#63352)
* isa string should rewrap as unsafe in get_validated_value
* _is_unsafe shouldn't be concerned with underlying types
* Start with passwords as text, instead of bytes
* Remove unused imports
* Add changelog fragment
* Update changelog with CVE.
(cherry picked from commit baeff7462d)
Co-authored-by: Matt Martz <matt@sivel.net>
* Update tests
This new script does not depend on ansible-test and provides much more robust job matrix testing.
It is also run on every job in the matrix now, to detect issues with jobs being re-run after matrix changes are made.
(cherry picked from commit d3da8e4a5b)
This avoids displaying the credentials in CI when retrying tests at maximum verbosity.
(cherry picked from commit b73e772)
Co-authored-by: Matt Clay <matt@mystile.com>
- use include_vars to set appropriate packages and pip packages per distribution and version
- install an older version of Docker CE on RHEL 8 since a dependency is unavailable
- disable warnings on tasks that are ok
- skip tests for CentOS/RHEL 6.
(cherry picked from commit d50c8c2b83)
Co-authored-by: Sam Doran <sdoran@redhat.com>
- use single include_vars task rather than multiple set_fact tasks
- use multi-line YAML to break up long conditionals
- use version() test rather than direct comparisions
- use different appstream package on RHEL since '@swig:3.0/default' is not working in the GA.
(cherry picked from commit 16d6fcf514)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Skip gitlab tests if dependencies aren't met
* Skip certain unittests if passlib is not installed
* Fix tests with deps on paramiko to skip if paramiko is not installed
* Use pytest to skip for cloudstack
If either on Python-2.6 or the cs library is not installed we cannot run
this test so skip it.
(cherry picked from commit 8acf71f78f)
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
- don't background the nuage-vsd-sim
- increase the asncy timeout
- use uri to actually query the simulator API to make sure it is ready for connections
(cherry picked from commit 911a2ec6d3)
* docsite: remove lexers which have been fixed in Pygments 2.4.0 (#57508)
* Remove lexers which have been fixed in Pygments 2.4.0.
* Add Pygments >= 2.4.0 to test runner.
* Fix pages that triggered lexer errors.
Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
(cherry picked from commit 505c99265c)
* fixes 'could not lex literal_block' errors
- Replace private key that expired an 2019-06-20 with a key that does not expire
- Document how to generate a new GPG key using an input file
(cherry picked from commit b9d77b997e)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Use different package for DNF tests
Ninja caused errors in Fedora 30. This works in both Fedora 29 and 30.
* Fix git integration tests
Git >= 2.21.0 has either a bug or change in behavior where it errors when fetching a
repository containing submodules that are behind the upstream submodule commits.
It's weird and I don't fully understand it.
Get around this my checking out specific commits from a repository rather than
switch the origin URL.
* Fix PostgreSQL tests
The error message is slightly different.
(cherry picked from commit 18feeb51a8)
Co-authored-by: Sam Doran <sdoran@redhat.com>
Rick Elrod