similar to a previous question [1] that was answered by Brian I'm
wondering if the following example gives the remote server remote
command execution privileges on the ansible host (which obviously no one
wants):
local_action: shell cat {{ fact123 }}
Is that a bad idea?
Can the remote server do a 'rm -rf /home' by providing
"/etc/passwd; rm -rf /home"
as the content of fact123
From Brian's previous answer[1]:
- the fact variables (what ansible_all_ipv4_addresses is) are
sanitized against template injection but not verified against
directories,
Does that sanitization also prevent shell cli injection (above example)?
No, Ansible can only protect you so much, like in normal shell, you
really want to quote variable input:
`cat "{{fact123}}"` would work the same as when running a shell script
`cat "$MYVAR"`
So you confirm that my example gives the remote server, remote code
execution on the ansible host, right?
Does using the 'command' module instead of the shell module kill this
entire attack possibility (besides always quoting vars) and would
therefore be a good preference over the shell module?