cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

fix unsafe preservation across newlines (#74960)

Browse source 
* fix unsafe preservation across newlines

  CVE-2021-3583
  ensure we always have unsafe

Co-authored-by: Rick Elrod <rick@elrod.me>
This commit is contained in:
Brian Coca 2021-06-11 09:33:40 -04:00 committed by GitHub
parent 473df5c13f
commit 4c8c40fd3d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/fix_unsafe_newline.yml Normal file
View file

@ -0,0 +1,2 @@
security_fixes:
- templating engine fix for not preserving usnafe status when trying to preserve newlines. CVE-2021-3583

5
lib/ansible/template/__init__.py
View file

@ -1114,7 +1114,8 @@ class Templar:
res = ansible_native_concat(rf) res = ansible_native_concat(rf)
else: else:
res = j2_concat(rf) res = j2_concat(rf)
if getattr(new_context, 'unsafe', False): unsafe = getattr(new_context, 'unsafe', False)
if unsafe:
res = wrap_var(res) res = wrap_var(res)
except TypeError as te: except TypeError as te:
if 'AnsibleUndefined' in to_native(te): if 'AnsibleUndefined' in to_native(te):
@ -1144,6 +1145,8 @@ class Templar:
res_newlines = _count_newlines_from_end(res) res_newlines = _count_newlines_from_end(res)
if data_newlines > res_newlines: if data_newlines > res_newlines:
res += self.environment.newline_sequence * (data_newlines - res_newlines) res += self.environment.newline_sequence * (data_newlines - res_newlines)
if unsafe:
res = wrap_var(res)
return res return res
except (UndefinedError, AnsibleUndefinedVariable) as e: except (UndefinedError, AnsibleUndefinedVariable) as e:
if fail_on_undefined: if fail_on_undefined:

4
test/integration/targets/template/runme.sh
View file

@ -34,3 +34,7 @@ ansible-playbook 6653.yml -v "$@"
# https://github.com/ansible/ansible/issues/72262 # https://github.com/ansible/ansible/issues/72262
ansible-playbook 72262.yml -v "$@" ansible-playbook 72262.yml -v "$@"
# ensure unsafe is preserved, even with extra newlines
ansible-playbook unsafe.yml -v "$@"

19
test/integration/targets/template/unsafe.yml Normal file
View file

@ -0,0 +1,19 @@
- hosts: localhost
gather_facts: false
vars:
nottemplated: this should not be seen
imunsafe: !unsafe '{{ nottemplated }}'
tasks:
- set_fact:
this_was_unsafe: >
{{ imunsafe }}
- set_fact:
this_always_safe: '{{ imunsafe }}'
- name: ensure nothing was templated
assert:
that:
- this_always_safe == imunsafe
- imunsafe == this_was_unsafe.strip()