Using $PIPE to sanitize a variable value; am I smoking it?

Archives Ansible Project
1

We use anisble for provisioning and deploying our application’s “feature branches” [git branch] to an accessible environment. Under our current approach we deploy the application code to;

/apps/[application]-[branch]

using the git module. Because [branch] sometimes contains special characters that are not directory or URL safe (spaces, slashes, etc.). I am using $PIPE to sanitize it (sed regex replaces non alphanumeric characters with an underscore). Here’s my code;

normalize $git_branch, replace non-alphanumerics with _

branch: $PIPE(echo “$git_branch” | sed ‘s/[^a-zA-Z0-9_-]/_/g’)

I have a strange feeling there’s a better, more “ansible way” to do this. Is there a better recommended approach? I also execute similar code to sanitize database names (that are based on git_branch) for the postgresql module.

Many thanks for your tips,

~ Brice

2

Hi Brice,

Trying to understand the use case.

Are you saying you are having users input data for where their git
branches are stored and you don't trust that data?

It might make sense to write your own lookup plugin, and we could even
include it in core if that made sense, that would be cleaner than the
PIPE.. perhaps $UNTAINT as a node to perl?

--Michael

3

s/node/nod/g

4

Michael,

Thank you for looking at my post. I’ll try to clarify – feel free to skip towards the bottom and examine the playbook as this is verbose;

Jenkins jobs are used to test and deploy our application [using ansible] if the tests pass. Development of our application occurs in feature branches – and ansible provisions an accessible environment for each branch as part of the deployment process. So for instance if our goal is to implement “excel import functionality”, we create a git branch named “f/excel” and then instruct the application’s jenkins job to build the “f/excel” branch via a “post build task” shell script – which makes the application code accessible e.g. at http://[branch].features.application.com/ - The post build task resembles something like;

5

P.s.

I like your idea about an $UNTAINT lookup, but think having $REGEX or something that allows us to search/replace may be more powerful. Again – there’s probably something already implemented that I’m unaware of :slight_smile: