Hi!
I'm not sending this in as a security issue, as I don't think there are playbooks like that in the wild.
If I understood the changes in 1.6.7+ properly, they were about protecting against injecting arguments like this:
- set_fact:
foo: 'bar" mode="0666'
- copy: content="{{ foo }}" dest=/etc/somesecret
But it seems it's still possible to create playbooks that are not safe against argument injection:
- set_fact:
foo: 'bar\n", "mode": "0666'
- copy: ""
args: '{ "content": "{{ foo }}", "dest": "/tmp/foo" }'
Is it by accident, or is templating the whole args dictionary considered too funky to be used (and so, to secure)?
Hi Tomasz,
All security fixes are intended to be resolved as of 1.7.10, not 1.6.7.
These issues were about injection of new parameters, not the fact that a particular value can be templated, especially one like content (which is useful and intentional).
If you think you have discovered something new, please contact us at security@ansible.com and we can agree on details and a release date.
Please see our security policy at http://www.ansible.com/security for information about reporting details.
Let’s discuss there (security@ansible.com) to avoid leaking a potential exploit, should you think you have one, which right now, I’m not seeing enough detail to see one.
Thank you!
Slight correction, when I say 1.7.10 above, I mean 1.7.0.