Merge pull request #4597 from AlanCoding/1873

do not allow YAML strings that are OrderedDicts

awx/main/tests/functional/api/test_job_template.py

@@ -65,6 +65,17 @@ def test_edit_sensitive_fields(patch, job_template_factory, alice, grant_project
     }, alice, expect=expect)
 
 
+@pytest.mark.django_db
+def test_reject_dict_extra_vars_patch(patch, job_template_factory, admin_user):
+    # Expect a string for extra_vars, raise 400 in this case that would
+    # otherwise have been saved incorrectly
+    jt = job_template_factory(
+        'jt', organization='org1', project='prj', inventory='inv', credential='cred'
+    ).job_template
+    patch(reverse('api:job_template_detail', args=(jt.id,)),
+          {'extra_vars': {'foo': 5}}, admin_user, expect=400)
+
+
 @pytest.mark.django_db
 def test_edit_playbook(patch, job_template_factory, alice):
     objs = job_template_factory('jt', organization='org1', project='prj', inventory='inv', credential='cred')

awx/main/validators.py

@@ -185,8 +185,9 @@ def vars_validate_or_raise(vars_str):
     except ValueError:
         pass
     try:
-        yaml.safe_load(vars_str)
+        r = yaml.safe_load(vars_str)
-        return vars_str
+        if not (isinstance(r, basestring) and r.startswith('OrderedDict(')):
+            return vars_str
     except yaml.YAMLError:
         pass
     raise RestValidationError(_('Must be valid JSON or YAML.'))