From 963bdd9983b91a48fb6949fb2ef41071e72d0be0 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Sat, 18 Jul 2020 01:21:35 +0530 Subject: [PATCH] [2.10] pipe: update docs for Popen with shell=True usage (#70602) pipe lookup plugin uses Popen with shell=True intentionally. This is considered a security issue if user input is not validated. Updated docs to reflect this information for the user. Also, added Bandit B602 documentation link for further reading. Fixes: #70159 Signed-off-by: Abhijeet Kasurde (cherry picked from commit e5649ca3e807f17e7c034ee22791f107162973b0) --- changelogs/fragments/70261_pipe_lookup.yml | 2 ++ lib/ansible/plugins/lookup/pipe.py | 21 ++++++++++++++------- 2 files changed, 16 insertions(+), 7 deletions(-) create mode 100644 changelogs/fragments/70261_pipe_lookup.yml diff --git a/changelogs/fragments/70261_pipe_lookup.yml b/changelogs/fragments/70261_pipe_lookup.yml new file mode 100644 index 00000000000..cc10e8c36bd --- /dev/null +++ b/changelogs/fragments/70261_pipe_lookup.yml @@ -0,0 +1,2 @@ +minor_changes: +- pipe lookup - update docs for Popen with shell=True usages (https://github.com/ansible/ansible/issues/70159). diff --git a/lib/ansible/plugins/lookup/pipe.py b/lib/ansible/plugins/lookup/pipe.py index 0f5c974c2fa..81fd42bc67a 100644 --- a/lib/ansible/plugins/lookup/pipe.py +++ b/lib/ansible/plugins/lookup/pipe.py @@ -4,32 +4,39 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -DOCUMENTATION = """ +DOCUMENTATION = r""" lookup: pipe author: Daniel Hokka Zakrisson version_added: "0.9" short_description: read output from a command description: - - Run a command and return the output + - Run a command and return the output. options: _terms: - description: command(s) to run + description: command(s) to run. required: True notes: - Like all lookups this runs on the Ansible controller and is unaffected by other keywords, such as become, so if you need to different permissions you must change the command or run Ansible as another user. - Alternatively you can use a shell/command task that runs against localhost and registers the result. + - Pipe lookup internally invokes Popen with shell=True (this is required and intentional). + This type of invocation is considered as security issue if appropriate care is not taken to sanitize any user provided or variable input. + It is strongly recommended to pass user input or variable input via quote filter before using with pipe lookup. + See example section for this. + Read more about this L(Bandit B602 docs,https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html) """ -EXAMPLES = """ +EXAMPLES = r""" - name: raw result of running date command" - debug: msg="{{ lookup('pipe','date') }}" + debug: + msg: "{{ lookup('pipe', 'date') }}" - name: Always use quote filter to make sure your variables are safe to use with shell - debug: msg="{{ lookup('pipe','getent ' + myuser|quote ) }}" + debug: + msg: "{{ lookup('pipe', 'getent ' + myuser | quote ) }}" """ -RETURN = """ +RETURN = r""" _string: description: - stdout from command