Fixing another corner case for security related to CVE-2016-9587

(cherry picked from commit bcceada5d9)
This commit is contained in:
Computest 2017-01-10 16:51:40 -06:00 committed by James Cammarata
parent bd1ba1e21a
commit 51559b0a51
2 changed files with 9 additions and 5 deletions

View file

@ -154,7 +154,7 @@ class AnsibleContext(Context):
''' '''
if isinstance(val, dict): if isinstance(val, dict):
for key in val.keys(): for key in val.keys():
if self._is_unsafe(val[key]): if self._is_unsafe(key) or self._is_unsafe(val[key]):
return True return True
elif isinstance(val, list): elif isinstance(val, list):
for item in val: for item in val:
@ -392,11 +392,11 @@ class Templar:
fail_on_undefined=fail_on_undefined, fail_on_undefined=fail_on_undefined,
overrides=overrides, overrides=overrides,
) )
if convert_data and not self._no_type_regex.match(variable): unsafe = hasattr(result, '__UNSAFE__')
if convert_data and not self._no_type_regex.match(variable) and not unsafe:
# if this looks like a dictionary or list, convert it to such using the safe_eval method # if this looks like a dictionary or list, convert it to such using the safe_eval method
if (result.startswith("{") and not result.startswith(self.environment.variable_start_string)) or \ if (result.startswith("{") and not result.startswith(self.environment.variable_start_string)) or \
result.startswith("[") or result in ("True", "False"): result.startswith("[") or result in ("True", "False"):
unsafe = hasattr(result, '__UNSAFE__')
eval_results = safe_eval(result, locals=self._available_variables, include_exceptions=True) eval_results = safe_eval(result, locals=self._available_variables, include_exceptions=True)
if eval_results[1] is None: if eval_results[1] is None:
result = eval_results[0] result = eval_results[0]

View file

@ -93,10 +93,14 @@ class AnsibleJSONUnsafeDecoder(json.JSONDecoder):
return value return value
def _wrap_dict(v): def _wrap_dict(v):
# Create new dict to get rid of the keys that are not wrapped.
new = {}
for k in v.keys(): for k in v.keys():
if v[k] is not None: if v[k] is not None:
v[wrap_var(k)] = wrap_var(v[k]) new[wrap_var(k)] = wrap_var(v[k])
return v else:
new[wrap_var(k)] = None
return new
def _wrap_list(v): def _wrap_list(v):