ansible/test/units
Sam Doran 7e4cffc5d2
[stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824)
* Change default file permissions so they are not world readable

CVE-2020-1736

Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.

A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.

- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)

Co-authored-by: Sam Doran <sdoran@redhat.com>
2020-07-23 09:07:18 -07:00
..
_vendor transparent downstream vendoring (#69850) 2020-06-15 16:22:25 -07:00
ansible_test Add Azure Pipelines support to ansible-test. 2020-06-11 14:57:42 -07:00
cli ansible-galaxy - fix collection installation with trailing slashes (#70016) 2020-06-15 17:36:07 -04:00
compat Move unit test compat code out of lib/ansible/. (#46996) 2018-10-12 20:01:14 -07:00
config [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00
errors Remove empty overridden unittest.setUp and unittest.tearDown methods. 2019-11-05 09:12:11 -08:00
executor refactor Python module_utils locator (#70610) (#70711) 2020-07-17 10:57:44 -07:00
galaxy [2.10] Improve ansible-galaxy STDOUT messages for collections (#70379) 2020-07-17 12:39:16 -07:00
inventory [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00
inventory_test_data/group_vars
mock [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00
module_utils [stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824) 2020-07-23 09:07:18 -07:00
modules [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00
parsing [stable-2.10] Ensure single vaulted values aren't counted as sequences. Fixes #70784 (#70786) (#70791) 2020-07-22 18:25:38 -07:00
playbook [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00
plugins Make filter type errors 'loop friendly' (#70417) (#70574) 2020-07-17 12:51:18 -07:00
regex Add toggle to control invalid character substitution in group names (#52748) 2019-03-06 11:49:40 -05:00
template Do not treat AnsibleUndefined as being unsafe (#65202) 2019-11-25 15:06:29 +01:00
utils [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00
vars Remove empty setUp/tearDown/tearDownClass methods in test classes. 2019-11-06 08:14:29 -08:00
__init__.py
requirements.txt Remove unnecessary unit test requirements. 2020-03-23 11:14:21 -05:00
test_constants.py [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00
test_context.py [stable-2.10] Clean up unit test boilerplate. 2020-07-13 18:28:02 -07:00