From 12ce3518780afa00f714b34d4c11281755e746c0 Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Fri, 19 Jan 2018 02:30:55 +0000 Subject: [PATCH] executor: block stat get_mime on localhost The get_mime option may be used to abuse the file utility. This change disables this module argument. Change-Id: Idc3bf8d101a15f572841b504ef16335281079142 --- zuul/ansible/action/normal.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/zuul/ansible/action/normal.py b/zuul/ansible/action/normal.py index 152f13f841..35ae8cb41c 100644 --- a/zuul/ansible/action/normal.py +++ b/zuul/ansible/action/normal.py @@ -63,6 +63,8 @@ class ActionModule(normal.ActionModule): Block any access of files outside the zuul work dir. ''' + if self._task.args.get('get_mime') is not None: + raise AnsibleError("get_mime on localhost is forbidden") paths._fail_if_unsafe(self._task.args['path']) def handle_file(self):