New way to expose ones playbook to untrusted variables

[Tomasz Kontusz]

Hi!
I'm not sending this in as a security issue, as I don't think there are
playbooks like that in the wild.

If I understood the changes in 1.6.7+ properly, they were about
protecting against injecting arguments like this:

- set_fact:
foo: 'bar" mode="0666'
- copy: content="{{ foo }}" dest=/etc/somesecret

But it seems it's still possible to create playbooks that are not safe
against argument injection:

- set_fact:
foo: 'bar\n", "mode": "0666'
- copy: ""
args: '{ "content": "{{ foo }}", "dest": "/tmp/foo" }'

Is it by accident, or is templating the whole args dictionary considered
too funky to be used (and so, to secure)?

---
Tomasz Kontusz

[Michael DeHaan]

Hi Tomasz,

All security fixes are intended to be resolved as of 1.7.10, not 1.6.7.

These issues were about injection of new parameters, not the fact that a particular value can be templated, especially one like content (which is useful and intentional).

If you think you have discovered something new, please contact us at secu...@ansible.com and we can agree on details and a release date.

Please see our security policy at http://www.ansible.com/security for information about reporting details.

Let's discuss there (secu...@ansible.com) to avoid leaking a potential exploit, should you think you have one, which right now, I'm not seeing enough detail to see one.

Thank you!

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/53EA74A7.8050205%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Michael DeHaan]

Slight correction, when I say 1.7.10 above, I mean 1.7.0.