diff options
author | Matt Davis <nitzmahone@users.noreply.github.com> | 2019-04-24 15:15:20 -0700 |
---|---|---|
committer | Toshio Kuratomi <a.badger@gmail.com> | 2019-04-24 18:38:32 -0600 |
commit | 74e90f89bd69bed528db52c0daf1e2cff85aa1a4 (patch) | |
tree | fa9acd6077b2a3e554cfab5d02ca2d0676da650b | |
parent | f64e95f230458950e13cf8b8bdbaa0b02bd45b16 (diff) | |
download | ansible-74e90f89bd69bed528db52c0daf1e2cff85aa1a4.tar.gz |
mark entire module result untrusted as template (#55717)
* prevents accidental templating on intra-action postprocessing of an untrusted module result
* makes the view of a module result within an action consistent with the way it would be stored for future use (eg facts, register)
(cherry picked from commit 03cac394cc318c7dfb75592920fcf0b4d49185fe)
-rw-r--r-- | changelogs/fragments/ensure_facts_safe.yml | 2 | ||||
-rw-r--r-- | lib/ansible/plugins/action/__init__.py | 7 |
2 files changed, 5 insertions, 4 deletions
diff --git a/changelogs/fragments/ensure_facts_safe.yml b/changelogs/fragments/ensure_facts_safe.yml index e014a0beb1..64f3614369 100644 --- a/changelogs/fragments/ensure_facts_safe.yml +++ b/changelogs/fragments/ensure_facts_safe.yml @@ -1,2 +1,2 @@ bugfixes: - - ensure facts are always unsafe objects and don't rely on plugin returns + - ensure module results and facts are marked untrusted as templates for safer use within the same task diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index 8eb198a78f..2f6237d007 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -968,6 +968,10 @@ class ActionBase(with_metaclass(ABCMeta, object)): data['deprecations'] = [] data['deprecations'].extend(self._discovery_deprecation_warnings) + # mark the entire module results untrusted as a template right here, since the current action could + # possibly template one of these values. + data = wrap_var(data) + display.debug("done with _execute_module (%s, %s)" % (module_name, module_args)) return data @@ -978,9 +982,6 @@ class ActionBase(with_metaclass(ABCMeta, object)): display.warning(w) data = json.loads(filtered_output) - - if 'ansible_facts' in data and isinstance(data['ansible_facts'], dict): - data['ansible_facts'] = wrap_var(data['ansible_facts']) data['_ansible_parsed'] = True except ValueError: # not valid json, lets try to capture error |