add protection for job-compatible vars

2026-01-14 11:20:39 -03:30 · 2018-04-17 15:46:48 -04:00 · 2018-04-17 15:46:48 -04:00 · c397cacea5
commit c397cacea5
parent 2db44cbf17
2 changed files with 19 additions and 1 deletions
--- a/awx/main/tests/unit/utils/test_common.py
+++ b/awx/main/tests/unit/utils/test_common.py
@ -44,6 +44,16 @@ def test_parse_yaml_or_json(input_, output):
    assert common.parse_yaml_or_json(input_) == output


+def test_recursive_vars_not_allowed():
+    rdict = {}
+    rdict['a'] = rdict
+    # YAML dumper will use a tag to give recursive data
+    data = yaml.dump(rdict, default_flow_style=False)
+    with pytest.raises(ParseError) as exc:
+        common.parse_yaml_or_json(data, silent_failure=False)
+    assert 'Circular reference detected' in str(exc)
+
+
 class TestParserExceptions:

    @staticmethod
--- a/awx/main/utils/common.py
+++ b/awx/main/utils/common.py
@ -630,8 +630,16 @@ def parse_yaml_or_json(vars_str, silent_failure=True):
            vars_dict = yaml.safe_load(vars_str)
            # Can be None if '---'
            if vars_dict is None:
-                return {}
+                vars_dict = {}
            validate_vars_type(vars_dict)
+            if not silent_failure:
+                # is valid YAML, check that it is compatible with JSON
+                try:
+                    json.dumps(vars_dict)
+                except (ValueError, TypeError, AssertionError) as json_err2:
+                    raise ParseError(_(
+                        'Variables not compatible with JSON standard (error: {json_error})').format(
+                            json_error=str(json_err2)))
        except (yaml.YAMLError, TypeError, AttributeError, AssertionError) as yaml_err:
            if silent_failure:
                return {}