ansible/test/integration/targets/gathering_facts/test_prevent_injection.yml
Brian Coca a9d2ceafe4
prevent ansible_facts injection ()
- also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted

CVE-2020-10684
2020-03-24 15:46:56 -04:00

14 lines
580 B
YAML

- name: Ensure clean_facts is working properly
hosts: facthost1
gather_facts: false
tasks:
- name: gather 'bad' facts
action: bogus_facts
- name: ensure that the 'bad' facts didn't polute what they are not supposed to
assert:
that:
- "'touch' not in discovered_interpreter_python|default('')"
- "'touch' not in ansible_facts.get('discovered_interpreter_python', '')"
- "'touch' not in ansible_facts.get('ansible_facts', {}).get('discovered_interpreter_python', '')"
- bogus_overwrite is undefined