Add missing localhost delegation checks to some modules

Currently we don't check some modules for delegation to
localhost. This would make it possible to overwrite any data which is
writable within the bwrap context. Further the script module allows
arbitrary code execution when delegated to localhost.

The following modules are affected:
* assemble: add safe path check
* copy: add safe path check
* patch: add safe path check
* script: block completely
* template: add safe path check
* unarchive: add tests, fixed by safe path check of copy

Change-Id: I2360219f50e6a28bb134468ead08ec72148ad192
Story: 2001681

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/assemble-delegate.yaml

@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - assemble-test-delegate

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/assemble-localhost.yaml

@@ -0,0 +1,11 @@
+- hosts: localhost
+  roles:
+    - assemble-test-localhost
+
+- hosts: 127.0.0.1
+  roles:
+    - assemble-test-localhost
+
+- hosts: "::1"
+  roles:
+    - assemble-test-localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/copy-delegate.yaml

@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - copy-test-delegate

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/copy-localhost.yaml

@@ -0,0 +1,11 @@
+- hosts: localhost
+  roles:
+    - copy-test-localhost
+
+- hosts: 127.0.0.1
+  roles:
+    - copy-test-localhost
+
+- hosts: "::1"
+  roles:
+    - copy-test-localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/patch-delegate.yaml

@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - patch-test-delegate

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/patch-localhost.yaml

@@ -0,0 +1,11 @@
+- hosts: localhost
+  roles:
+    - patch-test-localhost
+
+- hosts: 127.0.0.1
+  roles:
+    - patch-test-localhost
+
+- hosts: "::1"
+  roles:
+    - patch-test-localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/assemble-test-delegate/files/dir/resolv.conf

@@ -0,0 +1 @@
+one

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/assemble-test-delegate/tasks/assemble-delegate.yaml

@@ -0,0 +1,14 @@
+- name: Assemble
+  assemble:
+    src: dir
+    dest: /opt/assemble-dest
+    remote_src: no
+  delegate_to: "{{ item }}"
+  ignore_errors: true
+  register: result
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Assemble must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/assemble-test-delegate/tasks/main.yaml

@@ -0,0 +1,22 @@
+- include: assemble-delegate.yaml
+  with_items:
+    - ::1
+    - 127.0.0.1
+    - localhost
+
+- name: Define target dir
+  set_fact:
+    targetdir: "{{ zuul.executor.work_root }}/assemble-target"
+
+- name: Create target dir
+  file:
+    state: directory
+    path: "{{ targetdir }}"
+  delegate_to: localhost
+
+- name: Assemble to safe local path
+  assemble:
+    src: dir
+    dest: "{{ targetdir }}/assemble-dest.conf"
+    remote_src: no
+  delegate_to: localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/assemble-test-localhost/files/dir/resolv.conf

@@ -0,0 +1 @@
+one

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/assemble-test-localhost/tasks/main.yaml

@@ -0,0 +1,13 @@
+- name: Assemble
+  assemble:
+    src: dir
+    dest: /opt/assemble-dest
+    remote_src: no
+  ignore_errors: true
+  register: result
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Assemble must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/copy-test-delegate/tasks/copy-delegate.yaml

@@ -0,0 +1,13 @@
+- name: Copy
+  copy:
+    src: file
+    dest: /opt/copy-dest
+  delegate_to: "{{ item }}"
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Copy must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/copy-test-delegate/tasks/main.yaml

@@ -0,0 +1,27 @@
+- include: copy-delegate.yaml
+  with_items:
+    - ::1
+    - 127.0.0.1
+    - localhost
+
+- name: Define target dir
+  set_fact:
+    targetdir: "{{ zuul.executor.work_root }}/copy-target"
+
+- name: Create target dir
+  file:
+    state: directory
+    path: "{{ targetdir }}"
+  delegate_to: localhost
+
+- name: Copy file into safe path
+  copy:
+    src: file
+    dest: "{{ targetdir }}/dest-file"
+  delegate_to: localhost
+
+- name: Copy file into safe directory
+  copy:
+    src: file
+    dest: "{{ targetdir }}/dest-dir/"
+  delegate_to: localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/copy-test-localhost/tasks/main.yaml

@@ -0,0 +1,12 @@
+- name: Copy
+  copy:
+    src: file
+    dest: /opt/copy-dest
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Copy must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/patch-test-delegate/files/patch

@@ -0,0 +1,7 @@
+diff --git a/readme.txt b/readme.txt
+index 24308cb..b07f0ed 100644
+--- a/readme.txt
++++ b/readme.txt
+@@ -1 +1 @@
+-This is a readme
++This is a README

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/patch-test-delegate/files/readme.txt

@@ -0,0 +1 @@
+This is a readme

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/patch-test-delegate/tasks/main.yaml

@@ -0,0 +1,41 @@
+- include: patch-delegate.yaml
+  with_items:
+    - ::1
+    - 127.0.0.1
+    - localhost
+
+- name: Define target dir
+  set_fact:
+    targetdir: "{{ zuul.executor.work_root }}/patch-target"
+
+- name: Create target dir
+  file:
+    state: directory
+    path: "{{ targetdir }}"
+  delegate_to: localhost
+
+- name: Copy readme
+  copy:
+    src: readme.txt
+    dest: "{{ targetdir }}/readme.txt"
+  delegate_to: localhost
+
+- name: Patch in safe path using basedir
+  patch:
+    src: "patch"
+    basedir: "{{ targetdir }}"
+    strip: 1
+  delegate_to: localhost
+
+- name: Copy readme again
+  copy:
+    src: readme.txt
+    dest: "{{ targetdir }}/readme.txt"
+  delegate_to: localhost
+
+- name: Patch in safe path using dest
+  patch:
+    src: "patch"
+    dest: "{{ targetdir }}/readme.txt"
+    strip: 1
+  delegate_to: localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/patch-test-delegate/tasks/patch-delegate.yaml

@@ -0,0 +1,29 @@
+- name: Patch with basedir
+  patch:
+    src: patch
+    basedir: "/opt/patch-dest"
+    strip: 1
+  delegate_to: "{{ item }}"
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Patch must fail due to accessing files outside the working dir
+
+- name: Patch with dest
+  patch:
+    src: patch
+    dest: "/opt/patch-dest/readme"
+    strip: 1
+  delegate_to: "{{ item }}"
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Patch must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/patch-test-localhost/files/patch

@@ -0,0 +1,7 @@
+diff --git a/readme.txt b/readme.txt
+index 24308cb..b07f0ed 100644
+--- a/readme.txt
++++ b/readme.txt
+@@ -1 +1 @@
+-This is a readme
++This is a README

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/patch-test-localhost/files/readme.txt

@@ -0,0 +1 @@
+This is a readme

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/patch-test-localhost/tasks/main.yaml

@@ -0,0 +1,27 @@
+- name: Patch with basedir
+  patch:
+    src: patch
+    basedir: "/opt/patch-dest"
+    strip: 1
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Patch must fail due to accessing files outside the working dir
+
+- name: Patch with dest
+  patch:
+    src: patch
+    dest: "/opt/patch-dest/readme"
+    strip: 1
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Patch must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/script-test-delegate/files/script.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo one

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/script-test-delegate/tasks/main.yaml

@@ -0,0 +1,5 @@
+- include: script-delegate.yaml
+  with_items:
+    - ::1
+    - 127.0.0.1
+    - localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/script-test-delegate/tasks/script-delegate.yaml

@@ -0,0 +1,11 @@
+- name: Script
+  script: script.sh
+  delegate_to: "{{ item }}"
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Executing local code is prohibited' in result.msg"
+    msg: Script must fail due to local code execution restriction

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/script-test-localhost/files/script.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo one

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/script-test-localhost/tasks/main.yaml

@@ -0,0 +1,10 @@
+- name: Script
+  script: script.sh
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Executing local code is prohibited' in result.msg"
+    msg: Script must fail due to local code execution restriction

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/template-test-delegate/tasks/main.yaml

@@ -0,0 +1,21 @@
+- include: template-delegate.yaml
+  with_items:
+    - ::1
+    - 127.0.0.1
+    - localhost
+
+- name: Define target dir
+  set_fact:
+    targetdir: "{{ zuul.executor.work_root }}/template-target"
+
+- name: Create target dir
+  file:
+    state: directory
+    path: "{{ targetdir }}"
+  delegate_to: localhost
+
+- name: Template into safe path
+  template:
+    src: template
+    dest: "{{ targetdir }}/dest-file"
+  delegate_to: localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/template-test-delegate/tasks/template-delegate.yaml

@@ -0,0 +1,13 @@
+- name: Template
+  copy:
+    src: template
+    dest: /opt/copy-dest
+  delegate_to: "{{ item }}"
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Template must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/template-test-localhost/tasks/main.yaml

@@ -0,0 +1,12 @@
+- name: Template
+  copy:
+    src: template
+    dest: /opt/copy-dest
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Template must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/unarchive-test-delegate/tasks/main.yaml

@@ -0,0 +1,21 @@
+- include: unarchive-delegate.yaml
+  with_items:
+    - ::1
+    - 127.0.0.1
+    - localhost
+
+- name: Define target dir
+  set_fact:
+    targetdir: "{{ zuul.executor.work_root }}/unarchive-target"
+
+- name: Create target dir
+  file:
+    state: directory
+    path: "{{ targetdir }}"
+  delegate_to: localhost
+
+- name: Unarchive
+  copy:
+    src: archive.tar
+    dest: "{{ targetdir }}"
+  delegate_to: localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/unarchive-test-delegate/tasks/unarchive-delegate.yaml

@@ -0,0 +1,13 @@
+- name: Unarchive
+  copy:
+    src: archive.tar
+    dest: /opt/unarchive-dest
+  delegate_to: "{{ item }}"
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Unarchive must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/roles/unarchive-test-localhost/tasks/main.yaml

@@ -0,0 +1,12 @@
+- name: Unarchive
+  copy:
+    src: archive.tar
+    dest: /opt/unarchive-dest
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - "result.failed == true"
+      - "'Accessing files from outside the working dir' in result.msg"
+    msg: Unarchive must fail due to accessing files outside the working dir

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/script-delegate.yaml

@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - script-test-delegate

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/script-localhost.yaml

@@ -0,0 +1,11 @@
+- hosts: localhost
+  roles:
+    - script-test-localhost
+
+- hosts: 127.0.0.1
+  roles:
+    - script-test-localhost
+
+- hosts: "::1"
+  roles:
+    - script-test-localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/template-delegate.yaml

@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - template-test-delegate

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/template-localhost.yaml

@@ -0,0 +1,11 @@
+- hosts: localhost
+  roles:
+    - template-test-localhost
+
+- hosts: 127.0.0.1
+  roles:
+    - template-test-localhost
+
+- hosts: "::1"
+  roles:
+    - template-test-localhost

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/unarchive-delegate.yaml

@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - unarchive-test-delegate

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/unarchive-localhost.yaml

@@ -0,0 +1,11 @@
+- hosts: localhost
+  roles:
+    - unarchive-test-localhost
+
+- hosts: 127.0.0.1
+  roles:
+    - unarchive-test-localhost
+
+- hosts: "::1"
+  roles:
+    - unarchive-test-localhost