From fe47b75aad6787f41037e3c1d1f0628efa875a1c Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Tue, 17 Apr 2018 12:08:07 -0400 Subject: [PATCH] use a three-prong setting for Jinja extra vars policy --- awx/main/conf.py | 20 ++++++++++++++++---- awx/main/tasks.py | 10 ++++++---- awx/settings/defaults.py | 2 +- 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/awx/main/conf.py b/awx/main/conf.py index 0ae74a6dfc..3dc3453fb1 100644 --- a/awx/main/conf.py +++ b/awx/main/conf.py @@ -133,10 +133,22 @@ register( ) register( - 'ALLOW_JINJA_IN_JOB_TEMPLATE_EXTRA_VARS', - field_class=fields.BooleanField, - label=_('Allow Jinja template execution in Job Template extra vars'), - help_text=_('Ansible allows variable substitution and templating via the Jinja2 templating language for a variety of arguments (such as --extra-vars); enabling this flag allows arbitrary Jinja templates to be used on extra vars defined in Job Templates.'), # noqa + 'ALLOW_JINJA_IN_EXTRA_VARS', + field_class=fields.ChoiceField, + choices=[ + ('always', _('Always')), + ('never', _('Never')), + ('template', _('Only On Job Template Definitions')), + ], + required=True, + label=_('When can extra variables contain Jinja templates?'), + help_text=_( + 'Ansible allows variable substitution via the Jinja2 templating ' + 'language for --extra-vars. This poses a potential security ' + 'risk where Tower users with the ability to specify extra vars at job ' + 'launch time can use Jinja2 templates to run arbitrary Python. It is ' + 'recommended that this value be set to "template" or "never".' + ), category=_('Jobs'), category_slug='jobs', ) diff --git a/awx/main/tasks.py b/awx/main/tasks.py index 7f68ed80ec..ce85ab4d83 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -626,7 +626,10 @@ class BaseTask(LogErrorsTask): def build_extra_vars_file(self, vars, **kwargs): handle, path = tempfile.mkstemp(dir=kwargs.get('private_data_dir', None)) f = os.fdopen(handle, 'w') - f.write(safe_dump(vars, kwargs.get('safe_dict', {}) or None)) + if settings.ALLOW_JINJA_IN_EXTRA_VARS == 'always': + f.write(yaml.safe_dump(vars)) + else: + f.write(safe_dump(vars, kwargs.get('safe_dict', {}) or None)) f.close() os.chmod(path, stat.S_IRUSR) return path @@ -909,8 +912,7 @@ class BaseTask(LogErrorsTask): except Exception: if status != 'canceled': tb = traceback.format_exc() - if settings.DEBUG: - logger.exception('%s Exception occurred while running task', instance.log_format) + logger.exception('%s Exception occurred while running task', instance.log_format) finally: try: stdout_handle.flush() @@ -1221,7 +1223,7 @@ class RunJob(BaseTask): # higher levels of privilege - those that have the ability create and # edit Job Templates) safe_dict = {} - if job.job_template and settings.ALLOW_JINJA_IN_JOB_TEMPLATE_EXTRA_VARS is True: + if job.job_template and settings.ALLOW_JINJA_IN_EXTRA_VARS == 'template': safe_dict = job.job_template.extra_vars_dict extra_vars_path = self.build_extra_vars_file( vars=extra_vars, diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index 66e17a0174..54b6110812 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -586,7 +586,7 @@ CAPTURE_JOB_EVENT_HOSTS = False AWX_REBUILD_SMART_MEMBERSHIP = False # By default, allow arbitrary Jinja templating in extra_vars defined on a Job Template -ALLOW_JINJA_IN_JOB_TEMPLATE_EXTRA_VARS = True +ALLOW_JINJA_IN_EXTRA_VARS = 'template' # Enable bubblewrap support for running jobs (playbook runs only). # Note: This setting may be overridden by database settings.