fix unsafe preservation across newlines (#74960)

* fix unsafe preservation across newlines CVE-2021-3583 ensure we always have unsafe Co-authored-by: Rick Elrod <rick@elrod.me>
2021-06-11 09:33:40 -04:00 · 2021-06-11 09:33:40 -04:00 · 4c8c40fd3d
commit 4c8c40fd3d
parent 473df5c13f
4 changed files with 29 additions and 1 deletions
--- a/changelogs/fragments/fix_unsafe_newline.yml
+++ b/changelogs/fragments/fix_unsafe_newline.yml
@ -0,0 +1,2 @@
+security_fixes:
+  - templating engine fix for not preserving usnafe status when trying to preserve newlines. CVE-2021-3583
--- a/lib/ansible/template/init.py
+++ b/lib/ansible/template/init.py
@ -1114,7 +1114,8 @@ class Templar:
                    res = ansible_native_concat(rf)
                else:
                    res = j2_concat(rf)
-                if getattr(new_context, 'unsafe', False):
+                unsafe = getattr(new_context, 'unsafe', False)
+                if unsafe:
                    res = wrap_var(res)
            except TypeError as te:
                if 'AnsibleUndefined' in to_native(te):
@ -1144,6 +1145,8 @@ class Templar:
                res_newlines = _count_newlines_from_end(res)
                if data_newlines > res_newlines:
                    res += self.environment.newline_sequence * (data_newlines - res_newlines)
+                    if unsafe:
+                        res = wrap_var(res)
            return res
        except (UndefinedError, AnsibleUndefinedVariable) as e:
            if fail_on_undefined:
--- a/test/integration/targets/template/runme.sh
+++ b/test/integration/targets/template/runme.sh
@ -34,3 +34,7 @@ ansible-playbook 6653.yml -v "$@"

 # https://github.com/ansible/ansible/issues/72262
 ansible-playbook 72262.yml -v "$@"
+
+# ensure unsafe is preserved, even with extra newlines
+ansible-playbook unsafe.yml -v "$@"
+
--- a/test/integration/targets/template/unsafe.yml
+++ b/test/integration/targets/template/unsafe.yml
@ -0,0 +1,19 @@
+- hosts: localhost
+  gather_facts: false
+  vars:
+    nottemplated: this should not be seen
+    imunsafe: !unsafe '{{ nottemplated }}'
+  tasks:
+
+    - set_fact:
+        this_was_unsafe: >
+          {{ imunsafe }}
+
+    - set_fact:
+          this_always_safe: '{{ imunsafe }}'
+
+    - name: ensure nothing was templated
+      assert:
+        that:
+        - this_always_safe == imunsafe
+        - imunsafe == this_was_unsafe.strip()