Evaluation of Jinja2 templates #4652
-
|
Right now, ansible-lint seems to use ansible-core's Templar to template Jinja2 templates. A downside of this is that random code can get executed, like filter plugins, test plugins, and lookup plugins. Lookups are disabled, but the method to disable them is removed for ansible-core 2.19, so with ansible-core 2.19 also lookups will be executed. (Related: #4643, #2681.) I think this is dangerous and should be removed in general. I guess (since I really don't know) that templates are tried to be evaluated to improve validation: if (with all missing information) it's possible to still evaluate a template, and the value turns out to be a string "foo", which is supplied to something that should be a boolean, ansible-lint can tell this to the user. Otherwise it can only see that If this is the main reason, then maybe this problem should be solved in a different way than allowing to run arbitrary filters, tests, and (soon, with ansible-core 2.19) lookups. Just think of what happens if you create a filter/test/lookup plugin that deletes all files it can find in your home directory, add a role that calls this plugin in a template, and put that in a repo. If anyone ever runs ansbile-lint on that repo, they get their home directory cleaned up. (For this reason, right now you should only run ansible-lint on content you really trust,.) (A similar problem might still be there for module code; it seems that #3831 still hasn't been fixed.) |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
This would be easy to solve if Jinja2 would allow parsing an AST from a template, and partially evaluation of the AST (where evaluation stops and results in a partial AST when information is missing that is necessary to further evaluate). It looks like Jinja2's parser is a public API, so parsing seems to be possible. How much help it provides for partial evaluation I don't know, though I guess some simple enough templates can be handled explicitly with the parser and the AST already. |
Beta Was this translation helpful? Give feedback.
-
|
There are lots of different ways to nerf Jinja template execution (much more effectively than the lookup disabling ever did), but someone that knows the lint code would need to work with us to figure out the best approach, since I'm not clear on what's actually needed from the template engine for various rules. Anything that alters the execution behavior would of course reduce the effectiveness/correctness of some rules. |
Beta Was this translation helpful? Give feedback.
There are lots of different ways to nerf Jinja template execution (much more effectively than the lookup disabling ever did), but someone that knows the lint code would need to work with us to figure out the best approach, since I'm not clear on what's actually needed from the template engine for various rules. Anything that alters the execution behavior would of course reduce the effectiveness/correctness of some rules.