Use safe_eval vs eval.
This commit is contained in:
parent
fecfbf9226
commit
a83e10d77d
2 changed files with 30 additions and 2 deletions
|
@ -15,6 +15,8 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
from ansible.utils import safe_eval
|
||||||
|
|
||||||
def flatten(terms):
|
def flatten(terms):
|
||||||
ret = []
|
ret = []
|
||||||
for term in terms:
|
for term in terms:
|
||||||
|
@ -34,7 +36,7 @@ class LookupModule(object):
|
||||||
if '{' or '[' in terms:
|
if '{' or '[' in terms:
|
||||||
# Jinja2-ified list needs to be converted back to a real type
|
# Jinja2-ified list needs to be converted back to a real type
|
||||||
# TODO: something a bit less heavy than eval
|
# TODO: something a bit less heavy than eval
|
||||||
terms = eval(terms)
|
terms = safe_eval(terms)
|
||||||
terms = [ terms ]
|
terms = [ terms ]
|
||||||
return flatten(terms)
|
return flatten(terms)
|
||||||
|
|
||||||
|
|
|
@ -162,7 +162,7 @@ def check_conditional(conditional):
|
||||||
|
|
||||||
try:
|
try:
|
||||||
conditional = conditional.replace("\n", "\\n")
|
conditional = conditional.replace("\n", "\\n")
|
||||||
result = eval(conditional)
|
result = safe_eval(conditional)
|
||||||
if result not in [ True, False ]:
|
if result not in [ True, False ]:
|
||||||
raise errors.AnsibleError("Conditional expression must evaluate to True or False: %s" % conditional)
|
raise errors.AnsibleError("Conditional expression must evaluate to True or False: %s" % conditional)
|
||||||
return result
|
return result
|
||||||
|
@ -684,3 +684,29 @@ def is_list_of_strings(items):
|
||||||
return False
|
return False
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
def safe_eval(str):
|
||||||
|
'''
|
||||||
|
this is intended for allowing things like:
|
||||||
|
with_items: {{ a_list_variable }}
|
||||||
|
where Jinja2 would return a string
|
||||||
|
but we do not want to allow it to call functions (outside of Jinja2, where
|
||||||
|
the env is constrained)
|
||||||
|
'''
|
||||||
|
# FIXME: is there a more native way to do this?
|
||||||
|
|
||||||
|
# do not allow method calls
|
||||||
|
if re.search(r'\w\.\w+\(', str):
|
||||||
|
print "C1"
|
||||||
|
return str
|
||||||
|
# do not allow imports
|
||||||
|
if re.search(r'import \w+', str):
|
||||||
|
print "C2"
|
||||||
|
return str
|
||||||
|
return eval(str)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue