diff options
author | James Cammarata <jimi@sngx.net> | 2016-12-13 11:14:47 -0600 |
---|---|---|
committer | James Cammarata <jimi@sngx.net> | 2017-01-09 10:43:03 -0600 |
commit | a6fff93967763c45370b2215f79a8050e6e6486a (patch) | |
tree | f8afb9ee06ddc1fe522c9df4d619e2b2644dea5b /lib/ansible/playbook/conditional.py | |
parent | 258c6ada520e72b3040ad9729c8b95f11d5edc22 (diff) | |
download | ansible-a6fff93967763c45370b2215f79a8050e6e6486a.tar.gz |
Fixing security bugs for CVE-2016-9587
Diffstat (limited to 'lib/ansible/playbook/conditional.py')
-rw-r--r-- | lib/ansible/playbook/conditional.py | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/ansible/playbook/conditional.py b/lib/ansible/playbook/conditional.py index 1a1cc4f976..1361cd870b 100644 --- a/lib/ansible/playbook/conditional.py +++ b/lib/ansible/playbook/conditional.py @@ -28,8 +28,10 @@ from ansible.errors import AnsibleError, AnsibleUndefinedVariable from ansible.playbook.attribute import FieldAttribute from ansible.template import Templar from ansible.module_utils._text import to_native +from ansible.vars.unsafe_proxy import wrap_var DEFINED_REGEX = re.compile(r'(hostvars\[.+\]|[\w_]+)\s+(not\s+is|is|is\s+not)\s+(defined|undefined)') +LOOKUP_REGEX = re.compile(r'lookup\s*\(') class Conditional: @@ -127,9 +129,12 @@ class Conditional: return conditional # a Jinja2 evaluation that results in something Python can eval! + if hasattr(conditional, '__UNSAFE__') and LOOKUP_REGEX.match(conditional): + raise AnsibleError("The conditional '%s' contains variables which came from an unsafe " \ + "source and also contains a lookup() call, failing conditional check" % conditional) + presented = "{%% if %s %%} True {%% else %%} False {%% endif %%}" % conditional - conditional = templar.template(presented) - val = conditional.strip() + val = templar.template(presented).strip() if val == "True": return True elif val == "False": |