diff options
author | James E. Blair <jeblair@redhat.com> | 2020-02-10 12:44:05 -0800 |
---|---|---|
committer | James E. Blair <jeblair@redhat.com> | 2020-02-10 12:45:13 -0800 |
commit | df62a94946edd61391fc914e65180681ed37ac9b (patch) | |
tree | c1b4300a749601e18971820333755fb317d93497 /zuul/ansible/base/lookup/template.py | |
parent | 1d4b3796f7b271f9f068e9bd42a1a0863b51f7d1 (diff) | |
download | zuul-df62a94946edd61391fc914e65180681ed37ac9b.tar.gz |
Allow template lookup in untrusted context
This is similar to the already-permitted file lookup, but it
templates the result. The same access restrictions on the
supplied path as file should be applied.
Change-Id: I21b8788d491485cef6b05bebeb4b93c8df6b535c
Diffstat (limited to 'zuul/ansible/base/lookup/template.py')
-rw-r--r--[l---------] | zuul/ansible/base/lookup/template.py | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/zuul/ansible/base/lookup/template.py b/zuul/ansible/base/lookup/template.py index d45b9c405..fef56570a 120000..100644 --- a/zuul/ansible/base/lookup/template.py +++ b/zuul/ansible/base/lookup/template.py @@ -1 +1,27 @@ -_banned.py
\ No newline at end of file +# Copyright 2017 Red Hat, Inc. +# +# This module is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software. If not, see <http://www.gnu.org/licenses/>. + +from zuul.ansible import paths +template_mod = paths._import_ansible_lookup_plugin("template") + + +class LookupModule(template_mod.LookupModule): + + def run(self, terms, variables=None, **kwargs): + for term in terms: + lookupfile = self.find_file_in_search_path( + variables, 'templates', term) + paths._fail_if_unsafe(lookupfile, allow_trusted=True) + return super(LookupModule, self).run(terms, variables, **kwargs) |