def run(self, terms, variables=None, **kwargs):
basedir = self.get_basedir(variables)
for term in terms:
term_file = os.path.basename(term)
dwimmed_path = self._loader.path_dwim_relative(
basedir, 'files', os.path.dirname(term))
path = os.path.join(dwimmed_path, term_file)
paths._fail_if_unsafe(path, allow_trusted=True)
return super(LookupModule, self).run(terms, variables, **kwargs)
def run(self, tmp=None, task_vars=None):
if not paths._is_official_module(self):
return paths._fail_module_dict(self._task.action)
if paths._is_localhost_task(self):
paths._fail_if_unsafe(self._task.args['dest'])
return super(ActionModule, self).run(tmp, task_vars)
def handle_stat(self):
'''Allow stat module on localhost if it doesn't touch unsafe files.
The :ansible:module:`stat` can be useful in jobs for manipulating logs
and artifacts.
Block any access of files outside the zuul work dir.
'''
if self._task.args.get('get_mime'):
raise AnsibleError("get_mime on localhost is forbidden")
paths._fail_if_unsafe(self._task.args['path'])
def handle_file(self):
'''Allow file module on localhost if it doesn't touch unsafe files.
The :ansible:module:`file` can be useful in jobs for manipulating logs
and artifacts.
Block any access of files outside the zuul work dir.
'''
for arg in ('path', 'dest', 'name'):
dest = self._task.args.get(arg)
if dest:
paths._fail_if_unsafe(dest)
def run(self, tmp=None, task_vars=None):
if not paths._is_official_module(self):
return paths._fail_module_dict(self._task.action)
if paths._is_localhost_task(self):
for arg in ('src', 'dest'):
dest = self._task.args.get(arg)
if dest:
paths._fail_if_unsafe(dest)
return super(ActionModule, self).run(tmp, task_vars)
def handle_known_hosts(self):
'''Allow known_hosts on localhost
The :ansible:module:`known_hosts` can be used to add SSH host keys of
a remote system. When run from a executor it can be used with the
add_host task to access remote servers. This is needed because ansible
on the executor is configured to check host keys by default.
Block any access of files outside the zuul work dir.
'''
if paths._is_localhost_task(self):
path = self._task.args.get('path')
if path:
paths._fail_if_unsafe(path)
def run(self, terms, variables=None, **kwargs):
ret = []
for term in terms:
term_file = os.path.basename(term)
dwimmed_path = self.find_file_in_search_path(
variables, 'files', os.path.dirname(term))
if dwimmed_path:
paths._fail_if_unsafe(dwimmed_path, allow_trusted=True)
globbed = glob.glob(to_bytes(
os.path.join(dwimmed_path, term_file),
errors='surrogate_or_strict'))
ret.extend(
to_text(g, errors='surrogate_or_strict')
for g in globbed if os.path.isfile(g))
return ret
def read_csv(
self, filename, key, delimiter, encoding='utf-8',
dflt=None, col=1):
paths._fail_if_unsafe(filename, allow_trusted=True)
# upstream csvfile read_csv does not work with python3 so
# carry our own version.
try:
f = open(filename, 'r')
creader = csv.reader(f, dialect=csv.excel, delimiter=delimiter)
for row in creader:
if row[0] == key:
return row[int(col)]
except Exception as e:
raise AnsibleError("csvfile: %s" % to_native(e))
return dflt
def run(self, tmp=None, task_vars=None):
if not paths._is_official_module(self):
return paths._fail_module_dict(self._task.action)
if paths._is_localhost_task(self):
# The patch module has two possibilities of describing where to
# operate, basedir and dest. We need to perform the safe path check
# for both.
dirs_to_check = [
self._task.args.get('basedir'),
self._task.args.get('dest'),
]
for directory in dirs_to_check:
if directory is not None:
paths._fail_if_unsafe(directory)
return super(ActionModule, self).run(tmp, task_vars)
def read_ini(self, filename, *args, **kwargs):
paths._fail_if_unsafe(filename, allow_trusted=True)
return super(LookupModule, self).read_ini(
filename, *args, **kwargs)
def run(self, terms, variables=None, **kwargs):
for term in terms:
lookupfile = self.find_file_in_search_path(
variables, 'files', term)
paths._fail_if_unsafe(lookupfile, allow_trusted=True)
return super(LookupModule, self).run(terms, variables, **kwargs)
def run(self, terms, variables=None, **kwargs):
for term in terms:
lookupfile = self.find_file_in_search_path(
variables, 'files', term)
paths._fail_if_unsafe(lookupfile)
return super(LookupModule, self).run(terms, variables, **kwargs)
def read_ini(self, filename, *args, **kwargs):
paths._fail_if_unsafe(filename, allow_trusted=True)
return super(LookupModule, self).read_ini(filename, *args, **kwargs)
def run(self, terms, variables, **kwargs):
anydict = False
skip = False
for term in terms:
if isinstance(term, dict):
anydict = True
total_search = []
if anydict:
for term in terms:
if isinstance(term, dict):
files = term.get('files', [])
paths = term.get('paths', [])
skip = boolean(term.get('skip', False))
filelist = files
if isinstance(files, string_types):
files = files.replace(',', ' ')
files = files.replace(';', ' ')
filelist = files.split(' ')
pathlist = paths
if paths:
if isinstance(paths, string_types):
paths = paths.replace(',', ' ')
paths = paths.replace(':', ' ')
paths = paths.replace(';', ' ')
pathlist = paths.split(' ')
if not pathlist:
total_search = filelist
else:
for path in pathlist:
for fn in filelist:
f = os.path.join(path, fn)
total_search.append(f)
else:
total_search.append(term)
else:
total_search = self._flatten(terms)
for fn in total_search:
zuul_paths._fail_if_unsafe(fn)
try:
fn = self._templar.template(fn)
except (AnsibleUndefinedVariable, UndefinedError):
continue
# get subdir if set by task executor, default to files otherwise
subdir = getattr(self, '_subdir', 'files')
path = None
path = self.find_file_in_search_path(variables,
subdir,
fn,
ignore_missing=True)
if path is not None:
return [path]
else:
if skip:
return []
else:
raise AnsibleLookupError(
"No file was found when using with_first_found. Use the"
" 'skip: true' option to allow this task to be skipped if"
" no files are found")
def read_properties(self, filename, *args, **kwargs):
paths._fail_if_unsafe(filename)
return super(LookupModule,
self).read_properties(filename, *args, **kwargs)
def run(self, terms, variables, **kwargs):
anydict = False
skip = False
for term in terms:
if isinstance(term, dict):
anydict = True
total_search = []
if anydict:
for term in terms:
if isinstance(term, dict):
files = term.get('files', [])
paths = term.get('paths', [])
skip = boolean(term.get('skip', False))
filelist = files
if isinstance(files, string_types):
files = files.replace(',', ' ')
files = files.replace(';', ' ')
filelist = files.split(' ')
pathlist = paths
if paths:
if isinstance(paths, string_types):
paths = paths.replace(',', ' ')
paths = paths.replace(':', ' ')
paths = paths.replace(';', ' ')
pathlist = paths.split(' ')
if not pathlist:
total_search = filelist
else:
for path in pathlist:
for fn in filelist:
f = os.path.join(path, fn)
total_search.append(f)
else:
total_search.append(term)
else:
total_search = self._flatten(terms)
for fn in total_search:
zuul_paths._fail_if_unsafe(fn, allow_trusted=True)
try:
fn = self._templar.template(fn)
except (AnsibleUndefinedVariable, UndefinedError):
continue
# get subdir if set by task executor, default to files otherwise
subdir = getattr(self, '_subdir', 'files')
path = None
path = self.find_file_in_search_path(
variables, subdir, fn, ignore_missing=True)
if path is not None:
return [path]
else:
if skip:
return []
else:
raise AnsibleLookupError(
"No file was found when using with_first_found. Use the"
" 'skip: true' option to allow this task to be skipped if"
" no files are found")