diff options
| author | Brian Coca <bcoca@users.noreply.github.com> | 2021-06-11 17:43:30 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-11 16:43:30 -0500 |
| commit | 8b17e5b9229ffaecfe10a4881bc3f87dd2c184e1 (patch) | |
| tree | 31dd89f7824a074864bec5b4705a63b587111b9b | |
| parent | c49092fd2929e85276bfe60fc63d3f47f8aa4646 (diff) | |
| download | ansible-8b17e5b9229ffaecfe10a4881bc3f87dd2c184e1.tar.gz | |
fix unsafe preservation across newlines (#74960) (#74976)
CVE-2021-3583
ensure we always have unsafe
Co-authored-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 4c8c40fd3d4a58defdc80e7d22aa8d26b731353e)
| -rw-r--r-- | changelogs/fragments/fix_unsafe_newline.yml | 2 | ||||
| -rw-r--r-- | lib/ansible/template/__init__.py | 5 | ||||
| -rwxr-xr-x | test/integration/targets/template/runme.sh | 4 | ||||
| -rw-r--r-- | test/integration/targets/template/unsafe.yml | 19 |
4 files changed, 29 insertions, 1 deletions
diff --git a/changelogs/fragments/fix_unsafe_newline.yml b/changelogs/fragments/fix_unsafe_newline.yml new file mode 100644 index 0000000000..44180c6237 --- /dev/null +++ b/changelogs/fragments/fix_unsafe_newline.yml @@ -0,0 +1,2 @@ +security_fixes: + - templating engine fix for not preserving usnafe status when trying to preserve newlines. CVE-2021-3583 diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py index 52b9f71977..a20b1bae68 100644 --- a/lib/ansible/template/__init__.py +++ b/lib/ansible/template/__init__.py @@ -875,7 +875,8 @@ class Templar: try: res = j2_concat(rf) - if getattr(new_context, 'unsafe', False): + unsafe = getattr(new_context, 'unsafe', False) + if unsafe: res = wrap_var(res) except TypeError as te: if 'AnsibleUndefined' in to_native(te): @@ -905,6 +906,8 @@ class Templar: res_newlines = _count_newlines_from_end(res) if data_newlines > res_newlines: res += self.environment.newline_sequence * (data_newlines - res_newlines) + if unsafe: + res = wrap_var(res) return res except (UndefinedError, AnsibleUndefinedVariable) as e: if fail_on_undefined: diff --git a/test/integration/targets/template/runme.sh b/test/integration/targets/template/runme.sh index b634e9d989..fbf3f644f8 100755 --- a/test/integration/targets/template/runme.sh +++ b/test/integration/targets/template/runme.sh @@ -34,3 +34,7 @@ ansible-playbook 6653.yml -v "$@" # https://github.com/ansible/ansible/issues/72262 ansible-playbook 72262.yml -v "$@" + +# ensure unsafe is preserved, even with extra newlines +ansible-playbook unsafe.yml -v "$@" + diff --git a/test/integration/targets/template/unsafe.yml b/test/integration/targets/template/unsafe.yml new file mode 100644 index 0000000000..6746e1ea0c --- /dev/null +++ b/test/integration/targets/template/unsafe.yml @@ -0,0 +1,19 @@ +- hosts: localhost + gather_facts: false + vars: + nottemplated: this should not be seen + imunsafe: !unsafe '{{ nottemplated }}' + tasks: + + - set_fact: + this_was_unsafe: > + {{ imunsafe }} + + - set_fact: + this_always_safe: '{{ imunsafe }}' + + - name: ensure nothing was templated + assert: + that: + - this_always_safe == imunsafe + - imunsafe == this_was_unsafe.strip() |