Fixing security issue with lookup returns not tainting the jinja2 environment

CVE-2017-7481 Lookup returns wrap the result in unsafe, however when used through the standard templar engine, this does not result in the jinja2 environment being marked as unsafe as a whole. This means the lookup result looses the unsafe protection and may become simple unicode strings, which can result in bad things being re-templated. This also adds a global lookup param and cfg options for lookups to allow unsafe returns, so users can force the previous (insecure) behavior.
2026-05-06 13:22:48 +00:00 · 2017-05-08 10:37:10 -05:00
parent 6f4f7011f1
commit ed56f51f18
4 changed files with 31 additions and 3 deletions
--- a/examples/ansible.cfg
+++ b/examples/ansible.cfg
@@ -282,7 +282,7 @@
 # Controls showing custom stats at the end, off by default
 #show_custom_stats = True

-# Controlls which files to ignore when using a directory as inventory with
+# Controls which files to ignore when using a directory as inventory with
 # possibly multiple sources (both static and dynamic)
 #inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo

@@ -294,6 +294,12 @@
 # Setting to True keeps them under the ansible_facts namespace, the default is False
 #restrict_facts_namespace: True

+# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
+# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
+# jinja2 templating language which will be run through the templating engine.
+# ENABLING THIS COULD BE A SECURITY RISK
+#allow_unsafe_lookups = False
+
 [privilege_escalation]
 #become=True
 #become_method=sudo