diff options
author | Lee Garrett <lgarrett@rocketjump.eu> | 2023-10-20 16:36:43 +0200 |
---|---|---|
committer | Lee Garrett <lgarrett@rocketjump.eu> | 2023-10-20 16:36:43 +0200 |
commit | aa50cf5e169fcddf7e7b049117cdea5e305f6645 (patch) | |
tree | 29bff81a20cd2be84df506a6e431050c66700432 /test | |
parent | 2c596bd3b9cdb541ea70fc0dc584da466b84c794 (diff) | |
download | debian-ansible-core-aa50cf5e169fcddf7e7b049117cdea5e305f6645.zip |
New upstream version 2.14.11
Diffstat (limited to 'test')
5 files changed, 99 insertions, 3 deletions
diff --git a/test/integration/targets/ansible-galaxy-role/files/create-role-archive.py b/test/integration/targets/ansible-galaxy-role/files/create-role-archive.py new file mode 100755 index 00000000..cfd908c1 --- /dev/null +++ b/test/integration/targets/ansible-galaxy-role/files/create-role-archive.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python +"""Create a role archive which overwrites an arbitrary file.""" + +import argparse +import pathlib +import tarfile +import tempfile + + +def main() -> None: + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument('archive', type=pathlib.Path, help='archive to create') + parser.add_argument('content', type=pathlib.Path, help='content to write') + parser.add_argument('target', type=pathlib.Path, help='file to overwrite') + + args = parser.parse_args() + + create_archive(args.archive, args.content, args.target) + + +def create_archive(archive_path: pathlib.Path, content_path: pathlib.Path, target_path: pathlib.Path) -> None: + with ( + tarfile.open(name=archive_path, mode='w') as role_archive, + tempfile.TemporaryDirectory() as temp_dir_name, + ): + temp_dir_path = pathlib.Path(temp_dir_name) + + meta_main_path = temp_dir_path / 'meta' / 'main.yml' + meta_main_path.parent.mkdir() + meta_main_path.write_text('') + + symlink_path = temp_dir_path / 'symlink' + symlink_path.symlink_to(target_path) + + role_archive.add(meta_main_path) + role_archive.add(symlink_path) + + content_tarinfo = role_archive.gettarinfo(content_path, str(symlink_path)) + + with content_path.open('rb') as content_file: + role_archive.addfile(content_tarinfo, content_file) + + +if __name__ == '__main__': + main() diff --git a/test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml b/test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml new file mode 100644 index 00000000..c70e8998 --- /dev/null +++ b/test/integration/targets/ansible-galaxy-role/tasks/dir-traversal.yml @@ -0,0 +1,44 @@ +- name: create test directories + file: + path: '{{ remote_tmp_dir }}/dir-traversal/{{ item }}' + state: directory + loop: + - source + - target + - roles + +- name: create test content + copy: + dest: '{{ remote_tmp_dir }}/dir-traversal/source/content.txt' + content: | + some content to write + +- name: build dangerous dir traversal role + script: + chdir: '{{ remote_tmp_dir }}/dir-traversal/source' + cmd: create-role-archive.py dangerous.tar content.txt {{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt + executable: '{{ ansible_playbook_python }}' + +- name: install dangerous role + command: + cmd: ansible-galaxy role install --roles-path '{{ remote_tmp_dir }}/dir-traversal/roles' dangerous.tar + chdir: '{{ remote_tmp_dir }}/dir-traversal/source' + ignore_errors: true + register: galaxy_install_dangerous + +- name: check for overwritten file + stat: + path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt' + register: dangerous_overwrite_stat + +- name: get overwritten content + slurp: + path: '{{ remote_tmp_dir }}/dir-traversal/target/target-file-to-overwrite.txt' + register: dangerous_overwrite_content + when: dangerous_overwrite_stat.stat.exists + +- assert: + that: + - dangerous_overwrite_content.content|default('')|b64decode == '' + - not dangerous_overwrite_stat.stat.exists + - galaxy_install_dangerous is failed diff --git a/test/integration/targets/ansible-galaxy-role/tasks/main.yml b/test/integration/targets/ansible-galaxy-role/tasks/main.yml index 03d0b3c2..b39df11c 100644 --- a/test/integration/targets/ansible-galaxy-role/tasks/main.yml +++ b/test/integration/targets/ansible-galaxy-role/tasks/main.yml @@ -59,3 +59,5 @@ - name: Uninstall invalid role command: ansible-galaxy role remove invalid-testrole + +- import_tasks: dir-traversal.yml diff --git a/test/integration/targets/collections/posix.yml b/test/integration/targets/collections/posix.yml index 903fb4ff..4db20003 100644 --- a/test/integration/targets/collections/posix.yml +++ b/test/integration/targets/collections/posix.yml @@ -151,8 +151,8 @@ - assert: that: - - | - 'This is a broken filter plugin.' in result.msg + # FUTURE: ensure that the warning was also issued with the actual failure details + - result is failed - debug: msg: "{{ 'foo'|missing.collection.filter }}" diff --git a/test/integration/targets/win_fetch/tasks/main.yml b/test/integration/targets/win_fetch/tasks/main.yml index 78b6fa02..b5818352 100644 --- a/test/integration/targets/win_fetch/tasks/main.yml +++ b/test/integration/targets/win_fetch/tasks/main.yml @@ -176,8 +176,13 @@ - "fetch_missing_implicit.msg" - "fetch_missing_implicit is not changed" +- name: create empty temp directory + win_file: + path: '{{ remote_tmp_dir }}\fetch_tmp' + state: directory + - name: attempt to fetch a directory - fetch: src="C:\\Windows" dest={{ host_output_dir }} + fetch: src="{{ remote_tmp_dir }}\\fetch_tmp" dest={{ host_output_dir }} register: fetch_dir ignore_errors: true |