diff options
author | Brian Coca <bcoca@users.noreply.github.com> | 2021-06-11 17:43:09 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-11 16:43:09 -0500 |
commit | 03aff644cc1c00e1f7551195c68fbd0d13a39e6e (patch) | |
tree | b532a608c8bcde76484d56a37dae378aeaf8b3a3 | |
parent | 578fa17af58ae665cc652c530f1de6562659665c (diff) | |
download | ansible-03aff644cc1c00e1f7551195c68fbd0d13a39e6e.tar.gz |
fix unsafe preservation across newlines (#74960) (#74973)
CVE-2021-3583
ensure we always have unsafe
Co-authored-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 4c8c40fd3d4a58defdc80e7d22aa8d26b731353e)
-rw-r--r-- | changelogs/fragments/fix_unsafe_newline.yml | 2 | ||||
-rw-r--r-- | lib/ansible/template/__init__.py | 5 | ||||
-rwxr-xr-x | test/integration/targets/template/runme.sh | 4 | ||||
-rw-r--r-- | test/integration/targets/template/unsafe.yml | 19 |
4 files changed, 29 insertions, 1 deletions
diff --git a/changelogs/fragments/fix_unsafe_newline.yml b/changelogs/fragments/fix_unsafe_newline.yml new file mode 100644 index 0000000000..44180c6237 --- /dev/null +++ b/changelogs/fragments/fix_unsafe_newline.yml @@ -0,0 +1,2 @@ +security_fixes: + - templating engine fix for not preserving usnafe status when trying to preserve newlines. CVE-2021-3583 diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py index 3a51fef2ad..aa011e7e22 100644 --- a/lib/ansible/template/__init__.py +++ b/lib/ansible/template/__init__.py @@ -1092,7 +1092,8 @@ class Templar: res = ansible_native_concat(rf) else: res = j2_concat(rf) - if getattr(new_context, 'unsafe', False): + unsafe = getattr(new_context, 'unsafe', False) + if unsafe: res = wrap_var(res) except TypeError as te: if 'AnsibleUndefined' in to_native(te): @@ -1122,6 +1123,8 @@ class Templar: res_newlines = _count_newlines_from_end(res) if data_newlines > res_newlines: res += self.environment.newline_sequence * (data_newlines - res_newlines) + if unsafe: + res = wrap_var(res) return res except (UndefinedError, AnsibleUndefinedVariable) as e: if fail_on_undefined: diff --git a/test/integration/targets/template/runme.sh b/test/integration/targets/template/runme.sh index cb00df754d..1b4e980e5b 100755 --- a/test/integration/targets/template/runme.sh +++ b/test/integration/targets/template/runme.sh @@ -34,3 +34,7 @@ ansible-playbook 6653.yml -v "$@" # https://github.com/ansible/ansible/issues/72262 ansible-playbook 72262.yml -v "$@" + +# ensure unsafe is preserved, even with extra newlines +ansible-playbook unsafe.yml -v "$@" + diff --git a/test/integration/targets/template/unsafe.yml b/test/integration/targets/template/unsafe.yml new file mode 100644 index 0000000000..6746e1ea0c --- /dev/null +++ b/test/integration/targets/template/unsafe.yml @@ -0,0 +1,19 @@ +- hosts: localhost + gather_facts: false + vars: + nottemplated: this should not be seen + imunsafe: !unsafe '{{ nottemplated }}' + tasks: + + - set_fact: + this_was_unsafe: > + {{ imunsafe }} + + - set_fact: + this_always_safe: '{{ imunsafe }}' + + - name: ensure nothing was templated + assert: + that: + - this_always_safe == imunsafe + - imunsafe == this_was_unsafe.strip() |