Browse Source

Fix path exclusions

The current code checks to see that the destination path shares a prefix
with os.path.curdir. However, os.path.curdir is set to the directory
containing the playbook, not the root of the workdir, which means we're
not excluding things in the trusted dir like we'd like to be doing.

We already set HOME to the root of thew workdir, so we can just switch
the check from os.path.curdir to os.path.expanduser('~') and achieve the
original intent.

Change-Id: Ifac41f74f3306fe74b522c910867f9a5375bd61e
changes/01/509901/1
Monty Taylor 5 years ago
parent
commit
950c6b1e2d
No known key found for this signature in database
GPG Key ID: 7BAE94BC7141A594
  1. 2
      zuul/ansible/paths.py

2
zuul/ansible/paths.py

@ -24,7 +24,7 @@ import ansible.plugins.lookup
def _is_safe_path(path):
full_path = os.path.realpath(os.path.abspath(os.path.expanduser(path)))
if not full_path.startswith(os.path.abspath(os.path.curdir)):
if not full_path.startswith(os.path.abspath(os.path.expanduser('~'))):
return False
return True

Loading…
Cancel
Save