From 950c6b1e2ddf721d93a6ea7d51e682b1524bc7c9 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Thu, 5 Oct 2017 11:46:37 -0500 Subject: [PATCH] Fix path exclusions The current code checks to see that the destination path shares a prefix with os.path.curdir. However, os.path.curdir is set to the directory containing the playbook, not the root of the workdir, which means we're not excluding things in the trusted dir like we'd like to be doing. We already set HOME to the root of thew workdir, so we can just switch the check from os.path.curdir to os.path.expanduser('~') and achieve the original intent. Change-Id: Ifac41f74f3306fe74b522c910867f9a5375bd61e --- zuul/ansible/paths.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zuul/ansible/paths.py b/zuul/ansible/paths.py index 04daef481d..05f9fdc593 100644 --- a/zuul/ansible/paths.py +++ b/zuul/ansible/paths.py @@ -24,7 +24,7 @@ import ansible.plugins.lookup def _is_safe_path(path): full_path = os.path.realpath(os.path.abspath(os.path.expanduser(path))) - if not full_path.startswith(os.path.abspath(os.path.curdir)): + if not full_path.startswith(os.path.abspath(os.path.expanduser('~'))): return False return True