Allow template lookup in untrusted context

This is similar to the already-permitted file lookup, but it templates the result. The same access restrictions on the supplied path as file should be applied. Change-Id: I21b8788d491485cef6b05bebeb4b93c8df6b535c
2020-02-10 12:44:05 -08:00 · 2020-02-10 12:44:05 -08:00 · df62a94946
parent 1d4b3796f7
commit df62a94946
1 changed files with 27 additions and 1 deletions
--- a/zuul/ansible/base/lookup/template.py
+++ b/zuul/ansible/base/lookup/template.py
@ -1 +0,0 @@
-_banned.py
--- a/zuul/ansible/base/lookup/template.py
+++ b/zuul/ansible/base/lookup/template.py
@ -0,0 +1,27 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# This module is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
+
+from zuul.ansible import paths
+template_mod = paths._import_ansible_lookup_plugin("template")
+
+
+class LookupModule(template_mod.LookupModule):
+
+    def run(self, terms, variables=None, **kwargs):
+        for term in terms:
+            lookupfile = self.find_file_in_search_path(
+                variables, 'templates', term)
+            paths._fail_if_unsafe(lookupfile, allow_trusted=True)
+        return super(LookupModule, self).run(terms, variables, **kwargs)