executor: blacklist dangerous ansible host vars3.17.0

This change prevents malicious user to use dangerous ansible variable through host vars by using extra vars to force the default with highest variables precedence . Change-Id: Iaf5679bbfa43ff05d1d466106aa32d17c23c1f51
author: Tristan Cacqueray <tdecacqu@redhat.com> 2020-02-24 22:24:53 +0000
committer: Tristan Cacqueray <tdecacqu@redhat.com> 2020-02-27 17:15:55 +0000
commit: 0684df0dd191427d000f0cee2e18ccdc07f5f3c8 (patch)
tree: 8c94b1973a817d95cdce62eba6635595172cccd6 /releasenotes
parent: 88d86848636a675da682dcdb0e3d0e806922f7a4 (diff)
download: zuul-0684df0dd191427d000f0cee2e18ccdc07f5f3c8.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/releasenotes/notes/restrict-host-vars-ff64f960009da244.yaml b/releasenotes/notes/restrict-host-vars-ff64f960009da244.yaml
new file mode 100644
index 000000000..48b21b4e0
--- /dev/null
+++ b/releasenotes/notes/restrict-host-vars-ff64f960009da244.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The add_host module attributes that can be used to bypass localhost
+    command execution are now also blacklisted using extra-vars to prevent
+    abuse through untrusted host_vars.
author	Tristan Cacqueray <tdecacqu@redhat.com>	2020-02-24 22:24:53 +0000
committer	Tristan Cacqueray <tdecacqu@redhat.com>	2020-02-27 17:15:55 +0000
commit	0684df0dd191427d000f0cee2e18ccdc07f5f3c8 (patch)
tree	8c94b1973a817d95cdce62eba6635595172cccd6 /releasenotes
parent	88d86848636a675da682dcdb0e3d0e806922f7a4 (diff)
download	zuul-0684df0dd191427d000f0cee2e18ccdc07f5f3c8.tar.gz