Yeah, I understand that nullable approach, I also had the same idea originally. However, it requires all modules to be modified to support nullable value isn't it. In the mean time, my default omit could be a pretty helpful temporary solution. Just made a pull request to show how it works
https://github.com/ansible/ansible/pull/8323 Michael DeHaan於 2014年7月28日星期一UTC-7下午5時40分18秒寫道: > > For completeness, the security bug was about untrusted remote data (from > facts) being used to add arguments to commands in playbooks if things were > formatted in ways that would allow it. > > I can't say I entirely follow the omit proposal but I think I get the > gist. However, it's better if we can do something that covers both > key=value and longform arguments. I like the following idea a little > better: > > Basically what would need to be done here is to teach the code what to do > if the gid was None, and introduce the concept that None meant "no change" > as if the argument was not set. > > This may require something on argument_spec (sorry, code internals) that > looks like > > argument_spec = dict( > param = dict(name='foo', required=False, nullable=True) > ) > > And if the param is "None" or "", it would be /removed/ from the input > parameter list, if set nullable. > > For completeness, you have the following workaround available now but > probably won't like it: > > - module_name: foo=bar > when: baz is undefined > - module_name: foo=bar baz={{ baz }} > when: baz is defined > > I understand that's not perfect, but we do need to protect against > variable additions. > > In my proposal, you could still do > > - module_name: foo=bar baz={{ baz }} > > Because baz should insert None if set None. if undefined, needs to be > |default(None). > > > > > > > On Mon, Jul 28, 2014 at 8:34 PM, Michael DeHaan <[email protected] > <javascript:>> wrote: > >> Replying shortly. >> >> For clarity purposes what you have selected in the original pastebin >> which is no longer legal was: >> >> - name: generic-users | Make sure all groups are present >> group: name={{item.name}}{% if item.system is defined %} {{item.system}}{% >> endif %}{% if item.gid is defined %} gid={{item.gid}}{% endif %} >> state=present >> >> with_items: genericusers_groups >> >> >> >> On Mon, Jul 28, 2014 at 8:30 PM, Victor Lin <[email protected] >> <javascript:>> wrote: >> >>> I noticed that since the new ansible with security patched is released, >>> many our roles and playbooks are broken. For example, our role depends on >>> this, it is also broken >>> >>> >>> https://github.com/Ansibles/generic-users/blob/master/tasks/main.yml#L3-L5 >>> >>> since it uses if else statements to generate optional arguments like >>> gid. In the latest version of Ansible, it adds new arguments, so it fails >>> to pass security check, an error like >>> >>> A variable inserted a new parameter into the module args. Be sure to >>> quote variables if they contain equal signs (for example: "{{var}}"). >>> >>> is raised. >>> >>> I tried to modify the way arguments are passed by leveraging default >>> filter >>> >>> - name: generic-users | Make sure all groups are present >>> group: > >>> name="{{ item.name }}" >>> system="{{ item.system|default('no') }}" >>> gid="{{ item.gid|default(None) }}" >>> state=present >>> with_items: genericusers_groups >>> >>> >>> For argument "system", there is a value "no" I can use as a default >>> value, no problem at all. But for "gid", I tried to feed it with >>> "default(None)", the value will be rendered as string first anyway, so that >>> would be gid=None, ValueError be raised. As a result, unavoidable, I need >>> to pass a valid value to gid. >>> >>> I saw some discuss in this issue report: >>> https://github.com/ansible/ansible/issues/8233 >>> >>> I understand that for security reason, if-else statements in playbook >>> are not welcomed, but the problem is without if-else statements, I have no >>> idea how to omit arguments without "do not set anything for this" value. >>> The problem is a little bit like Python's not set default value, we usually >>> create an object stands for not_set value like this >>> >>> NOT_SET = object() >>> >>> def foobar(value=NOT_SET): >>> pass >>> >>> But in ansible, I didn't see anything like that. Or did I miss >>> something? I think it would be helpful if there is some kind of special >>> filter like >>> >>> - name: generic-users | Make sure all groups are present >>> group: > >>> name="{{ item.name }}" >>> system="{{ item.system|default('no') }}" >>> gid="{{ item.gid|default_omit) }}" >>> state=present >>> with_items: genericusers_groups >>> >>> The default_omit filter here omits "gid" argument if it is not defined. >>> Just an idea. However, since modifying context in a jinja2 template would >>> be difficult to implement, I think maybe it's better to encourage YAML >>> style arguments like this: >>> >>> - name: generic-users | Make sure all groups are present >>> group: >>> name: "{{ item.name }}" >>> system: "{{ item.system|default('no') }}" >>> gid: "{{ item.gid|default_omit) }}" >>> state=present >>> with_items: genericusers_groups >>> >>> And for the default_omit, maybe it can return a random nonce generated >>> by system (so that attacker cannot inject this value to remove argument), >>> like this >>> >>> __omit_place_holder_8843d7f92416211de9ebb963ff4ce28125932878__ >>> >>> And when ansible sees this value for a argument, it simply remove the >>> key from arguments instead of passing it down to module. >>> >>> But anyway, these are just some thinkings, the more important thing is, >>> I would like to know, at this moment, how can I solve that "gid" cannot be >>> omit issue? Is there any workaround? There are so many modules there, if >>> you give an argument there, it means you want to change that thing, and >>> there is no not_set value. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> To post to this group, send email to [email protected] >>> <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/592b32aa-ac1d-4e98-bb1d-708b833e0a1c%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/ansible-project/592b32aa-ac1d-4e98-bb1d-708b833e0a1c%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8445a609-c12d-4f91-a494-a84ee41ebc07%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
