Connection error messages are unsafe: wrap them (#37329)

* Check that connection error msg are not unsafe * Connection error messages are unsafe: wrap them For example, in case of error, docker connection plugin returns exception message containing Go template. These messages weren't tagged as unsafe and were consequently rendered: The conditional check 'result is failed' failed. The error was: { 'msg': u'Docker version check ([\'/usr/bin/docker\', \'version\', \'--format\', "\'{{.Server.Version}}\'"]) failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.35/version: dial unix /var/run/docker.sock: connect: permission denied\n', 'failed': True }: template error while templating string: unexpected '.'. String: Docker version check (['/usr/bin/docker', 'version', '--format', "'{{.Server.Version}}'"]) failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.35/version: dial unix /var/run/docker.sock: connect: permission denied (cherry picked from commit 4378542ac7ff98fba4fe2c00eec99fbab8e93d1e)
author: Pilou <pierre-louis@libregerbil.fr> 2018-03-14 00:20:24 +0100
committer: Toshio Kuratomi <a.badger@gmail.com> 2018-03-19 08:10:10 -0700
commit: 4f071bdc2f08e6f7d37b3ba00ff2263f3030b488 (patch)
tree: 8fb8fd72c923c90b32e3390c2001982766e968f4 /test/integration
parent: 850224dd5e3182f11408cc755bb065008d217ce2 (diff)
download: ansible-4f071bdc2f08e6f7d37b3ba00ff2263f3030b488.tar.gz
5 files changed, 73 insertions, 0 deletions
diff --git a/test/integration/targets/connection/aliases b/test/integration/targets/connection/aliases
new file mode 100644
index 0000000000..7af8b7f05b
--- /dev/null
+++ b/test/integration/targets/connection/aliases
@@ -0,0 +1 @@
+posix/ci/group2
diff --git a/test/integration/targets/connection/inventory b/test/integration/targets/connection/inventory
new file mode 100644
index 0000000000..324f0d3af3
--- /dev/null
+++ b/test/integration/targets/connection/inventory
@@ -0,0 +1,2 @@
+[local]
+testhost
diff --git a/test/integration/targets/connection/play.yml b/test/integration/targets/connection/play.yml
new file mode 100644
index 0000000000..b62239379a
--- /dev/null
+++ b/test/integration/targets/connection/play.yml
@@ -0,0 +1,19 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - name: "use a connection plugin raising an exception, exception message contains Jinja template."
+      connection: dummy
+      command: /bin/true  # command won't be executed
+      register: result
+      ignore_errors: True
+
+    - name: "check that Jinja template embedded in exception message isn't rendered"
+      debug:
+        msg: 'ok'
+      when: result is failed
+      register: debug_task
+
+    - assert:
+        that:
+          - result is failed
+          - debug_task is success
diff --git a/test/integration/targets/connection/plugin/dummy.py b/test/integration/targets/connection/plugin/dummy.py
new file mode 100644
index 0000000000..de84bb4341
--- /dev/null
+++ b/test/integration/targets/connection/plugin/dummy.py
@@ -0,0 +1,46 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = """
+    author:
+        - John Doe
+    connection: dummy
+    short_description: defective connection plugin
+    description:
+        - defective connection plugin
+    version_added: "2.0"
+    options: {}
+"""
+import ansible.constants as C
+from ansible.errors import AnsibleError
+from ansible.plugins.connection import ConnectionBase
+
+
+class Connection(ConnectionBase):
+
+    transport = 'dummy'
+    has_pipelining = True
+    become_methods = frozenset(C.BECOME_METHODS)
+
+    def __init__(self, play_context, new_stdin, *args, **kwargs):
+        super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
+
+        raise AnsibleError('an error with {{ some Jinja }}')
+
+    def transport(self):
+        pass
+
+    def _connect(self):
+        pass
+
+    def exec_command(self, cmd, in_data=None, sudoable=True):
+        pass
+
+    def put_file(self, in_path, out_path):
+        pass
+
+    def fetch_file(self, in_path, out_path):
+        pass
+
+    def close(self):
+        pass
diff --git a/test/integration/targets/connection/runme.sh b/test/integration/targets/connection/runme.sh
new file mode 100755
index 0000000000..2ab43e0066
--- /dev/null
+++ b/test/integration/targets/connection/runme.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -o nounset -o errexit -o xtrace
+
+ANSIBLE_CONNECTION_PLUGINS="$(pwd)/plugin" ansible-playbook -i inventory "$(pwd)/play.yml" -v "$@"
author	Pilou <pierre-louis@libregerbil.fr>	2018-03-14 00:20:24 +0100
committer	Toshio Kuratomi <a.badger@gmail.com>	2018-03-19 08:10:10 -0700
commit	4f071bdc2f08e6f7d37b3ba00ff2263f3030b488 (patch)
tree	8fb8fd72c923c90b32e3390c2001982766e968f4 /test/integration
parent	850224dd5e3182f11408cc755bb065008d217ce2 (diff)
download	ansible-4f071bdc2f08e6f7d37b3ba00ff2263f3030b488.tar.gz