summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorLee Garrett <lgarrett@rocketjump.eu>2023-10-20 16:36:43 +0200
committerLee Garrett <lgarrett@rocketjump.eu>2023-10-20 16:36:43 +0200
commitaa50cf5e169fcddf7e7b049117cdea5e305f6645 (patch)
tree29bff81a20cd2be84df506a6e431050c66700432 /test
parent2c596bd3b9cdb541ea70fc0dc584da466b84c794 (diff)
downloaddebian-ansible-core-aa50cf5e169fcddf7e7b049117cdea5e305f6645.zip
New upstream version 2.14.11
Diffstat (limited to 'test')
-rwxr-xr-xtest/integration/targets/ansible-galaxy-role/files/create-role-archive.py45
-rw-r--r--test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml44
-rw-r--r--test/integration/targets/ansible-galaxy-role/tasks/main.yml2
-rw-r--r--test/integration/targets/collections/posix.yml4
-rw-r--r--test/integration/targets/win_fetch/tasks/main.yml7
5 files changed, 99 insertions, 3 deletions
diff --git a/test/integration/targets/ansible-galaxy-role/files/create-role-archive.py b/test/integration/targets/ansible-galaxy-role/files/create-role-archive.py
new file mode 100755
index 00000000..cfd908c1
--- /dev/null
+++ b/test/integration/targets/ansible-galaxy-role/files/create-role-archive.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+"""Create a role archive which overwrites an arbitrary file."""
+
+import argparse
+import pathlib
+import tarfile
+import tempfile
+
+
+def main() -> None:
+ parser = argparse.ArgumentParser(description=__doc__)
+ parser.add_argument('archive', type=pathlib.Path, help='archive to create')
+ parser.add_argument('content', type=pathlib.Path, help='content to write')
+ parser.add_argument('target', type=pathlib.Path, help='file to overwrite')
+
+ args = parser.parse_args()
+
+ create_archive(args.archive, args.content, args.target)
+
+
+def create_archive(archive_path: pathlib.Path, content_path: pathlib.Path, target_path: pathlib.Path) -> None:
+ with (
+ tarfile.open(name=archive_path, mode='w') as role_archive,
+ tempfile.TemporaryDirectory() as temp_dir_name,
+ ):
+ temp_dir_path = pathlib.Path(temp_dir_name)
+
+ meta_main_path = temp_dir_path / 'meta' / 'main.yml'
+ meta_main_path.parent.mkdir()
+ meta_main_path.write_text('')
+
+ symlink_path = temp_dir_path / 'symlink'
+ symlink_path.symlink_to(target_path)
+
+ role_archive.add(meta_main_path)
+ role_archive.add(symlink_path)
+
+ content_tarinfo = role_archive.gettarinfo(content_path, str(symlink_path))
+
+ with content_path.open('rb') as content_file:
+ role_archive.addfile(content_tarinfo, content_file)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml b/test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml
new file mode 100644
index 00000000..c70e8998
--- /dev/null
+++ b/test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml
@@ -0,0 +1,44 @@
+- name: create test directories
+ file:
+ path: '{{ remote_tmp_dir }}/dir-traversal/{{ item }}'
+ state: directory
+ loop:
+ - source
+ - target
+ - roles
+
+- name: create test content
+ copy:
+ dest: '{{ remote_tmp_dir }}/dir-traversal/source/content.txt'
+ content: |
+ some content to write
+
+- name: build dangerous dir traversal role
+ script:
+ chdir: '{{ remote_tmp_dir }}/dir-traversal/source'
+ cmd: create-role-archive.py dangerous.tar content.txt {{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt
+ executable: '{{ ansible_playbook_python }}'
+
+- name: install dangerous role
+ command:
+ cmd: ansible-galaxy role install --roles-path '{{ remote_tmp_dir }}/dir-traversal/roles' dangerous.tar
+ chdir: '{{ remote_tmp_dir }}/dir-traversal/source'
+ ignore_errors: true
+ register: galaxy_install_dangerous
+
+- name: check for overwritten file
+ stat:
+ path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt'
+ register: dangerous_overwrite_stat
+
+- name: get overwritten content
+ slurp:
+ path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt'
+ register: dangerous_overwrite_content
+ when: dangerous_overwrite_stat.stat.exists
+
+- assert:
+ that:
+ - dangerous_overwrite_content.content|default('')|b64decode == ''
+ - not dangerous_overwrite_stat.stat.exists
+ - galaxy_install_dangerous is failed
diff --git a/test/integration/targets/ansible-galaxy-role/tasks/main.yml b/test/integration/targets/ansible-galaxy-role/tasks/main.yml
index 03d0b3c2..b39df11c 100644
--- a/test/integration/targets/ansible-galaxy-role/tasks/main.yml
+++ b/test/integration/targets/ansible-galaxy-role/tasks/main.yml
@@ -59,3 +59,5 @@
- name: Uninstall invalid role
command: ansible-galaxy role remove invalid-testrole
+
+- import_tasks: dir-traversal.yml
diff --git a/test/integration/targets/collections/posix.yml b/test/integration/targets/collections/posix.yml
index 903fb4ff..4db20003 100644
--- a/test/integration/targets/collections/posix.yml
+++ b/test/integration/targets/collections/posix.yml
@@ -151,8 +151,8 @@
- assert:
that:
- - |
- 'This is a broken filter plugin.' in result.msg
+ # FUTURE: ensure that the warning was also issued with the actual failure details
+ - result is failed
- debug:
msg: "{{ 'foo'|missing.collection.filter }}"
diff --git a/test/integration/targets/win_fetch/tasks/main.yml b/test/integration/targets/win_fetch/tasks/main.yml
index 78b6fa02..b5818352 100644
--- a/test/integration/targets/win_fetch/tasks/main.yml
+++ b/test/integration/targets/win_fetch/tasks/main.yml
@@ -176,8 +176,13 @@
- "fetch_missing_implicit.msg"
- "fetch_missing_implicit is not changed"
+- name: create empty temp directory
+ win_file:
+ path: '{{ remote_tmp_dir }}\fetch_tmp'
+ state: directory
+
- name: attempt to fetch a directory
- fetch: src="C:\\Windows" dest={{ host_output_dir }}
+ fetch: src="{{ remote_tmp_dir }}\\fetch_tmp" dest={{ host_output_dir }}
register: fetch_dir
ignore_errors: true