Skip to content

Commit

Permalink
detail about playbook conditionals from changelog (#423)
Browse files Browse the repository at this point in the history
This change manually includes details from the 2.17.0 changelog that
were not included in the porting guide.
  • Loading branch information
oraNod authored Jun 4, 2024
1 parent 876b0ef commit 6027fb5
Showing 1 changed file with 21 additions and 1 deletion.
22 changes: 21 additions & 1 deletion 10/porting_guide_10.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,27 @@ We suggest you read this page along with the `Ansible 10 Changelog <https://gith
Playbook
========

No notable changes
* Conditionals - due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
conditional expressions with embedded template blocks can fail with the message
"``Conditional is marked as unsafe, and cannot be evaluated.``" when an embedded template
consults data from untrusted sources like module results or vars marked ``!unsafe``.
Conditionals with embedded templates can be a source of malicious template injection when
referencing untrusted data, and can nearly always be rewritten without embedded
templates. Playbook task conditional keywords such as ``when`` and ``until`` have long
displayed warnings discouraging use of embedded templates in conditionals; this warning
has been expanded to non-task conditionals as well, such as the ``assert`` action.

.. code-block:: yaml
- name: task with a module result (always untrusted by Ansible)
shell: echo "hi mom"
register: untrusted_result
# don't do it this way...
# - name: insecure conditional with embedded template consulting untrusted data
# assert:
# that: '"hi mom" is in {{ untrusted_result.stdout }}'
- name: securely access untrusted values directly as Jinja variables instead
assert:
that: '"hi mom" is in untrusted_result.stdout'
Command Line
Expand Down

0 comments on commit 6027fb5

Please sign in to comment.