External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-16 05:47:38 -02:30
Code Issues Packages Projects Releases Wiki Activity

use a three-prong setting for Jinja extra vars policy

Browse Source
This commit is contained in:
Ryan Petrello
2018-04-17 12:08:07 -04:00
parent 7304301948
commit fe47b75aad
3 changed files with 23 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
awx/main/conf.py
View File

@@ -133,10 +133,22 @@ register(
) )
register( register(
'ALLOW_JINJA_IN_JOB_TEMPLATE_EXTRA_VARS', 'ALLOW_JINJA_IN_EXTRA_VARS',
field_class=fields.BooleanField, field_class=fields.ChoiceField,
label=_('Allow Jinja template execution in Job Template extra vars'), choices=[
help_text=_('Ansible allows variable substitution and templating via the Jinja2 templating language for a variety of arguments (such as --extra-vars); enabling this flag allows arbitrary Jinja templates to be used on extra vars defined in Job Templates.'), # noqa ('always', _('Always')),
('never', _('Never')),
('template', _('Only On Job Template Definitions')),
],
required=True,
label=_('When can extra variables contain Jinja templates?'),
help_text=_(
'Ansible allows variable substitution via the Jinja2 templating '
'language for --extra-vars. This poses a potential security '
'risk where Tower users with the ability to specify extra vars at job '
'launch time can use Jinja2 templates to run arbitrary Python. It is '
'recommended that this value be set to "template" or "never".'
),
category=_('Jobs'), category=_('Jobs'),
category_slug='jobs', category_slug='jobs',
) )

10
awx/main/tasks.py
View File

@@ -626,7 +626,10 @@ class BaseTask(LogErrorsTask):
def build_extra_vars_file(self, vars, **kwargs): def build_extra_vars_file(self, vars, **kwargs):
handle, path = tempfile.mkstemp(dir=kwargs.get('private_data_dir', None)) handle, path = tempfile.mkstemp(dir=kwargs.get('private_data_dir', None))
f = os.fdopen(handle, 'w') f = os.fdopen(handle, 'w')
f.write(safe_dump(vars, kwargs.get('safe_dict', {}) or None)) if settings.ALLOW_JINJA_IN_EXTRA_VARS == 'always':
f.write(yaml.safe_dump(vars))
else:
f.write(safe_dump(vars, kwargs.get('safe_dict', {}) or None))
f.close() f.close()
os.chmod(path, stat.S_IRUSR) os.chmod(path, stat.S_IRUSR)
return path return path
@@ -909,8 +912,7 @@ class BaseTask(LogErrorsTask):
except Exception: except Exception:
if status != 'canceled': if status != 'canceled':
tb = traceback.format_exc() tb = traceback.format_exc()
if settings.DEBUG: logger.exception('%s Exception occurred while running task', instance.log_format)
logger.exception('%s Exception occurred while running task', instance.log_format)
finally: finally:
try: try:
stdout_handle.flush() stdout_handle.flush()
@@ -1221,7 +1223,7 @@ class RunJob(BaseTask):
# higher levels of privilege - those that have the ability create and # higher levels of privilege - those that have the ability create and
# edit Job Templates) # edit Job Templates)
safe_dict = {} safe_dict = {}
if job.job_template and settings.ALLOW_JINJA_IN_JOB_TEMPLATE_EXTRA_VARS is True: if job.job_template and settings.ALLOW_JINJA_IN_EXTRA_VARS == 'template':
safe_dict = job.job_template.extra_vars_dict safe_dict = job.job_template.extra_vars_dict
extra_vars_path = self.build_extra_vars_file( extra_vars_path = self.build_extra_vars_file(
vars=extra_vars, vars=extra_vars,

2
awx/settings/defaults.py
View File

@@ -586,7 +586,7 @@ CAPTURE_JOB_EVENT_HOSTS = False
AWX_REBUILD_SMART_MEMBERSHIP = False AWX_REBUILD_SMART_MEMBERSHIP = False
# By default, allow arbitrary Jinja templating in extra_vars defined on a Job Template # By default, allow arbitrary Jinja templating in extra_vars defined on a Job Template
ALLOW_JINJA_IN_JOB_TEMPLATE_EXTRA_VARS = True ALLOW_JINJA_IN_EXTRA_VARS = 'template'
# Enable bubblewrap support for running jobs (playbook runs only). # Enable bubblewrap support for running jobs (playbook runs only).
# Note: This setting may be overridden by database settings. # Note: This setting may be overridden by database settings.