diff options
Diffstat (limited to 'lib/ansible/playbook/conditional.py')
-rw-r--r-- | lib/ansible/playbook/conditional.py | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/ansible/playbook/conditional.py b/lib/ansible/playbook/conditional.py index 1a1cc4f976..1361cd870b 100644 --- a/lib/ansible/playbook/conditional.py +++ b/lib/ansible/playbook/conditional.py @@ -28,8 +28,10 @@ from ansible.errors import AnsibleError, AnsibleUndefinedVariable from ansible.playbook.attribute import FieldAttribute from ansible.template import Templar from ansible.module_utils._text import to_native +from ansible.vars.unsafe_proxy import wrap_var DEFINED_REGEX = re.compile(r'(hostvars\[.+\]|[\w_]+)\s+(not\s+is|is|is\s+not)\s+(defined|undefined)') +LOOKUP_REGEX = re.compile(r'lookup\s*\(') class Conditional: @@ -127,9 +129,12 @@ class Conditional: return conditional # a Jinja2 evaluation that results in something Python can eval! + if hasattr(conditional, '__UNSAFE__') and LOOKUP_REGEX.match(conditional): + raise AnsibleError("The conditional '%s' contains variables which came from an unsafe " \ + "source and also contains a lookup() call, failing conditional check" % conditional) + presented = "{%% if %s %%} True {%% else %%} False {%% endif %%}" % conditional - conditional = templar.template(presented) - val = conditional.strip() + val = templar.template(presented).strip() if val == "True": return True elif val == "False": |