diff options
author | James Cammarata <jimi@sngx.net> | 2017-01-10 16:54:00 -0600 |
---|---|---|
committer | James Cammarata <jimi@sngx.net> | 2017-01-11 15:53:04 -0600 |
commit | d316068831f9e08ef96833200ec7df2132263966 (patch) | |
tree | 455c2fd9cad971100e8b65ec351ca4f9629a0d44 /lib/ansible/template | |
parent | bcceada5d9b78ad77069c78226f8e9b336ff8949 (diff) | |
download | ansible-d316068831f9e08ef96833200ec7df2132263966.tar.gz |
Additional fixes for security related to CVE-2016-9587
Diffstat (limited to 'lib/ansible/template')
-rw-r--r-- | lib/ansible/template/__init__.py | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py index 53b267543f..1a43486f9e 100644 --- a/lib/ansible/template/__init__.py +++ b/lib/ansible/template/__init__.py @@ -30,10 +30,8 @@ from numbers import Number from jinja2 import Environment from jinja2.loaders import FileSystemLoader from jinja2.exceptions import TemplateSyntaxError, UndefinedError -from jinja2.nodes import EvalContext from jinja2.utils import concat as j2_concat from jinja2.runtime import Context, StrictUndefined - from ansible import constants as C from ansible.compat.six import string_types, text_type from ansible.errors import AnsibleError, AnsibleFilterError, AnsibleUndefinedVariable @@ -42,7 +40,6 @@ from ansible.template.safe_eval import safe_eval from ansible.template.template import AnsibleJ2Template from ansible.template.vars import AnsibleJ2Vars from ansible.module_utils._text import to_native, to_text -from ansible.vars.unsafe_proxy import UnsafeProxy, wrap_var try: from hashlib import sha1 @@ -127,13 +124,6 @@ def _count_newlines_from_end(in_str): # Uncommon cases: zero length string and string containing only newlines return i -class AnsibleEvalContext(EvalContext): - ''' - A custom jinja2 EvalContext, which is currently unused and saved - here for possible future use. - ''' - pass - class AnsibleContext(Context): ''' A custom context, which intercepts resolve() calls and sets a flag @@ -143,7 +133,6 @@ class AnsibleContext(Context): ''' def __init__(self, *args, **kwargs): super(AnsibleContext, self).__init__(*args, **kwargs) - self.eval_ctx = AnsibleEvalContext(self.environment, self.name) self.unsafe = False def _is_unsafe(self, val): @@ -335,7 +324,7 @@ class Templar: self._available_variables = variables self._cached_result = {} - def template(self, variable, convert_bare=False, preserve_trailing_newlines=True, escape_backslashes=True, fail_on_undefined=None, overrides=None, convert_data=True, static_vars = [''], cache = True, bare_deprecated=True): + def template(self, variable, convert_bare=False, preserve_trailing_newlines=True, escape_backslashes=True, fail_on_undefined=None, overrides=None, convert_data=True, static_vars = [''], cache = True, bare_deprecated=True, disable_lookups=False): ''' Templates (possibly recursively) any given data as input. If convert_bare is set to True, the given data will be wrapped as a jinja2 variable ('{{foo}}') @@ -391,6 +380,7 @@ class Templar: escape_backslashes=escape_backslashes, fail_on_undefined=fail_on_undefined, overrides=overrides, + disable_lookups=disable_lookups, ) unsafe = hasattr(result, '__UNSAFE__') if convert_data and not self._no_type_regex.match(variable) and not unsafe: @@ -401,6 +391,7 @@ class Templar: if eval_results[1] is None: result = eval_results[0] if unsafe: + from ansible.vars.unsafe_proxy import wrap_var result = wrap_var(result) else: # FIXME: if the safe_eval raised an error, should we do something with it? @@ -482,6 +473,9 @@ class Templar: ''' return thing if thing is not None else '' + def _fail_lookup(self, name, *args, **kwargs): + raise AnsibleError("The lookup `%s` was found, however lookups were disabled from templating" % name) + def _lookup(self, name, *args, **kwargs): instance = self._lookup_loader.get(name.lower(), loader=self._loader, templar=self) @@ -501,6 +495,7 @@ class Templar: ran = None if ran: + from ansible.vars.unsafe_proxy import UnsafeProxy, wrap_var if wantlist: ran = wrap_var(ran) else: @@ -516,7 +511,7 @@ class Templar: else: raise AnsibleError("lookup plugin (%s) not found" % name) - def do_template(self, data, preserve_trailing_newlines=True, escape_backslashes=True, fail_on_undefined=None, overrides=None): + def do_template(self, data, preserve_trailing_newlines=True, escape_backslashes=True, fail_on_undefined=None, overrides=None, disable_lookups=False): # For preserving the number of input newlines in the output (used # later in this method) data_newlines = _count_newlines_from_end(data) @@ -560,7 +555,11 @@ class Templar: else: return data - t.globals['lookup'] = self._lookup + if disable_lookups: + t.globals['lookup'] = self._fail_lookup + else: + t.globals['lookup'] = self._lookup + t.globals['finalize'] = self._finalize jvars = AnsibleJ2Vars(self, t.globals) @@ -571,6 +570,7 @@ class Templar: try: res = j2_concat(rf) if new_context.unsafe: + from ansible.vars.unsafe_proxy import wrap_var res = wrap_var(res) except TypeError as te: if 'StrictUndefined' in to_native(te): |