mark entire module result untrusted as template (#55717)
* prevents accidental templating on intra-action postprocessing of an untrusted module result * makes the view of a module result within an action consistent with the way it would be stored for future use (eg facts, register)
This commit is contained in:
parent
34e9c0f3a5
commit
03cac394cc
2 changed files with 5 additions and 4 deletions
|
@ -1,2 +1,2 @@
|
|||
bugfixes:
|
||||
- ensure facts are always unsafe objects and don't rely on plugin returns
|
||||
- ensure module results and facts are marked untrusted as templates for safer use within the same task
|
||||
|
|
|
@ -968,6 +968,10 @@ class ActionBase(with_metaclass(ABCMeta, object)):
|
|||
data['deprecations'] = []
|
||||
data['deprecations'].extend(self._discovery_deprecation_warnings)
|
||||
|
||||
# mark the entire module results untrusted as a template right here, since the current action could
|
||||
# possibly template one of these values.
|
||||
data = wrap_var(data)
|
||||
|
||||
display.debug("done with _execute_module (%s, %s)" % (module_name, module_args))
|
||||
return data
|
||||
|
||||
|
@ -978,9 +982,6 @@ class ActionBase(with_metaclass(ABCMeta, object)):
|
|||
display.warning(w)
|
||||
|
||||
data = json.loads(filtered_output)
|
||||
|
||||
if 'ansible_facts' in data and isinstance(data['ansible_facts'], dict):
|
||||
data['ansible_facts'] = wrap_var(data['ansible_facts'])
|
||||
data['_ansible_parsed'] = True
|
||||
except ValueError:
|
||||
# not valid json, lets try to capture error
|
||||
|
|
Loading…
Reference in a new issue