diff --git a/changelogs/fragments/ensure_facts_safe.yml b/changelogs/fragments/ensure_facts_safe.yml index e014a0beb1b..64f36143697 100644 --- a/changelogs/fragments/ensure_facts_safe.yml +++ b/changelogs/fragments/ensure_facts_safe.yml @@ -1,2 +1,2 @@ bugfixes: - - ensure facts are always unsafe objects and don't rely on plugin returns + - ensure module results and facts are marked untrusted as templates for safer use within the same task diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index 8eb198a78f4..2f6237d007c 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -968,6 +968,10 @@ class ActionBase(with_metaclass(ABCMeta, object)): data['deprecations'] = [] data['deprecations'].extend(self._discovery_deprecation_warnings) + # mark the entire module results untrusted as a template right here, since the current action could + # possibly template one of these values. + data = wrap_var(data) + display.debug("done with _execute_module (%s, %s)" % (module_name, module_args)) return data @@ -978,9 +982,6 @@ class ActionBase(with_metaclass(ABCMeta, object)): display.warning(w) data = json.loads(filtered_output) - - if 'ansible_facts' in data and isinstance(data['ansible_facts'], dict): - data['ansible_facts'] = wrap_var(data['ansible_facts']) data['_ansible_parsed'] = True except ValueError: # not valid json, lets try to capture error