diff options
author | Brian Coca <bcoca@users.noreply.github.com> | 2019-06-06 15:36:22 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-06-06 15:36:22 -0400 |
commit | b9b0b230150eceb442c34c917d9e852d5e8b7371 (patch) | |
tree | fbc45fcc4fd2765703cb1861c58651cbdfa1bd78 /lib/ansible | |
parent | 99f9f49ecafe3634652282139b4659e855ad8373 (diff) | |
download | ansible-b9b0b230150eceb442c34c917d9e852d5e8b7371.tar.gz |
safe_eval fix (#57188)
* just dont pass locals
- also fix globals
- added tests
* fixed tests
Diffstat (limited to 'lib/ansible')
-rw-r--r-- | lib/ansible/template/__init__.py | 2 | ||||
-rw-r--r-- | lib/ansible/template/safe_eval.py | 8 |
2 files changed, 7 insertions, 3 deletions
diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py index f88b7165db..ec4bf67713 100644 --- a/lib/ansible/template/__init__.py +++ b/lib/ansible/template/__init__.py @@ -543,7 +543,7 @@ class Templar: # if this looks like a dictionary or list, convert it to such using the safe_eval method if (result.startswith("{") and not result.startswith(self.environment.variable_start_string)) or \ result.startswith("[") or result in ("True", "False"): - eval_results = safe_eval(result, locals=self._available_variables, include_exceptions=True) + eval_results = safe_eval(result, include_exceptions=True) if eval_results[1] is None: result = eval_results[0] if unsafe: diff --git a/lib/ansible/template/safe_eval.py b/lib/ansible/template/safe_eval.py index 9c70be4a89..4f5b856180 100644 --- a/lib/ansible/template/safe_eval.py +++ b/lib/ansible/template/safe_eval.py @@ -42,10 +42,14 @@ def safe_eval(expr, locals=None, include_exceptions=False): # define certain JSON types # eg. JSON booleans are unknown to python eval() - JSON_TYPES = { + OUR_GLOBALS = { + '__builtins__': {}, # avoid global builtins as per eval docs 'false': False, 'null': None, 'true': True, + # also add back some builtins we do need + 'True': True, + 'False': False, } # this is the whitelist of AST nodes we are going to @@ -138,7 +142,7 @@ def safe_eval(expr, locals=None, include_exceptions=False): # Note: passing our own globals and locals here constrains what # callables (and other identifiers) are recognized. this is in # addition to the filtering of builtins done in CleansingNodeVisitor - result = eval(compiled, JSON_TYPES, dict(locals)) + result = eval(compiled, OUR_GLOBALS, dict(locals)) if include_exceptions: return (result, None) |