Thanks for this, though this appears to only work for complex args. If you could make it work for non-complex (key=value) args as well, I'm open to having something like this, but I think the parameter should be, if this does work for them, something like "|nullable" vs "default_omit".
On Mon, Jul 28, 2014 at 9:59 PM, Victor Lin <[email protected]> wrote: > Yeah, I understand that nullable approach, I also had the same idea > originally. However, it requires all modules to be modified to support > nullable value isn't it. In the mean time, my default omit could be a > pretty helpful temporary solution. Just made a pull request to show how it > works > > https://github.com/ansible/ansible/pull/8323 > > Michael DeHaan於 2014年7月28日星期一UTC-7下午5時40分18秒寫道: >> >> For completeness, the security bug was about untrusted remote data (from >> facts) being used to add arguments to commands in playbooks if things were >> formatted in ways that would allow it. >> >> I can't say I entirely follow the omit proposal but I think I get the >> gist. However, it's better if we can do something that covers both >> key=value and longform arguments. I like the following idea a little >> better: >> >> Basically what would need to be done here is to teach the code what to do >> if the gid was None, and introduce the concept that None meant "no change" >> as if the argument was not set. >> >> This may require something on argument_spec (sorry, code internals) that >> looks like >> >> argument_spec = dict( >> param = dict(name='foo', required=False, nullable=True) >> ) >> >> And if the param is "None" or "", it would be /removed/ from the input >> parameter list, if set nullable. >> >> For completeness, you have the following workaround available now but >> probably won't like it: >> >> - module_name: foo=bar >> when: baz is undefined >> - module_name: foo=bar baz={{ baz }} >> when: baz is defined >> >> I understand that's not perfect, but we do need to protect against >> variable additions. >> >> In my proposal, you could still do >> >> - module_name: foo=bar baz={{ baz }} >> >> Because baz should insert None if set None. if undefined, needs to be >> |default(None). >> >> >> >> >> >> >> On Mon, Jul 28, 2014 at 8:34 PM, Michael DeHaan <[email protected]> >> wrote: >> >>> Replying shortly. >>> >>> For clarity purposes what you have selected in the original pastebin >>> which is no longer legal was: >>> >>> - name: generic-users | Make sure all groups are present >>> group: name={{item.name}}{% if item.system is defined %} >>> {{item.system}}{% endif %}{% if item.gid is defined %} gid={{item.gid}}{% >>> endif %} state=present >>> >>> with_items: genericusers_groups >>> >>> >>> >>> On Mon, Jul 28, 2014 at 8:30 PM, Victor Lin <[email protected]> wrote: >>> >>>> I noticed that since the new ansible with security patched is released, >>>> many our roles and playbooks are broken. For example, our role depends on >>>> this, it is also broken >>>> >>>> https://github.com/Ansibles/generic-users/blob/master/ >>>> tasks/main.yml#L3-L5 >>>> >>>> since it uses if else statements to generate optional arguments like >>>> gid. In the latest version of Ansible, it adds new arguments, so it fails >>>> to pass security check, an error like >>>> >>>> A variable inserted a new parameter into the module args. Be sure to >>>> quote variables if they contain equal signs (for example: "{{var}}"). >>>> >>>> is raised. >>>> >>>> I tried to modify the way arguments are passed by leveraging default >>>> filter >>>> >>>> - name: generic-users | Make sure all groups are present >>>> group: > >>>> name="{{ item.name }}" >>>> system="{{ item.system|default('no') }}" >>>> gid="{{ item.gid|default(None) }}" >>>> state=present >>>> with_items: genericusers_groups >>>> >>>> >>>> For argument "system", there is a value "no" I can use as a default >>>> value, no problem at all. But for "gid", I tried to feed it with >>>> "default(None)", the value will be rendered as string first anyway, so that >>>> would be gid=None, ValueError be raised. As a result, unavoidable, I need >>>> to pass a valid value to gid. >>>> >>>> I saw some discuss in this issue report: https://github.com/ >>>> ansible/ansible/issues/8233 >>>> >>>> I understand that for security reason, if-else statements in playbook >>>> are not welcomed, but the problem is without if-else statements, I have no >>>> idea how to omit arguments without "do not set anything for this" value. >>>> The problem is a little bit like Python's not set default value, we usually >>>> create an object stands for not_set value like this >>>> >>>> NOT_SET = object() >>>> >>>> def foobar(value=NOT_SET): >>>> pass >>>> >>>> But in ansible, I didn't see anything like that. Or did I miss >>>> something? I think it would be helpful if there is some kind of special >>>> filter like >>>> >>>> - name: generic-users | Make sure all groups are present >>>> group: > >>>> name="{{ item.name }}" >>>> system="{{ item.system|default('no') }}" >>>> gid="{{ item.gid|default_omit) }}" >>>> state=present >>>> with_items: genericusers_groups >>>> >>>> The default_omit filter here omits "gid" argument if it is not defined. >>>> Just an idea. However, since modifying context in a jinja2 template would >>>> be difficult to implement, I think maybe it's better to encourage YAML >>>> style arguments like this: >>>> >>>> - name: generic-users | Make sure all groups are present >>>> group: >>>> name: "{{ item.name }}" >>>> system: "{{ item.system|default('no') }}" >>>> gid: "{{ item.gid|default_omit) }}" >>>> state=present >>>> with_items: genericusers_groups >>>> >>>> And for the default_omit, maybe it can return a random nonce generated >>>> by system (so that attacker cannot inject this value to remove argument), >>>> like this >>>> >>>> __omit_place_holder_8843d7f92416211de9ebb963ff4ce28125932878__ >>>> >>>> And when ansible sees this value for a argument, it simply remove the >>>> key from arguments instead of passing it down to module. >>>> >>>> But anyway, these are just some thinkings, the more important thing is, >>>> I would like to know, at this moment, how can I solve that "gid" cannot be >>>> omit issue? Is there any workaround? There are so many modules there, if >>>> you give an argument there, it means you want to change that thing, and >>>> there is no not_set value. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> >>>> To view this discussion on the web visit https://groups.google.com/d/ >>>> msgid/ansible-project/592b32aa-ac1d-4e98-bb1d- >>>> 708b833e0a1c%40googlegroups.com >>>> <https://groups.google.com/d/msgid/ansible-project/592b32aa-ac1d-4e98-bb1d-708b833e0a1c%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/8445a609-c12d-4f91-a494-a84ee41ebc07%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/8445a609-c12d-4f91-a494-a84ee41ebc07%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgy2s3mR-sbtqeOYK9COuXPUC8P5ZRtGhKTjFV6sYuj3Bg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
