diff options
Diffstat (limited to 'test/integration/targets/fetch/injection')
3 files changed, 56 insertions, 0 deletions
diff --git a/test/integration/targets/fetch/injection/avoid_slurp_return.yml b/test/integration/targets/fetch/injection/avoid_slurp_return.yml new file mode 100644 index 0000000..af62dcf --- /dev/null +++ b/test/integration/targets/fetch/injection/avoid_slurp_return.yml @@ -0,0 +1,26 @@ +- name: ensure that 'fake slurp' does not poison fetch source + hosts: localhost + gather_facts: False + tasks: + - name: fetch with relative source path + fetch: src=../injection/here.txt dest={{output_dir}} + become: true + register: islurp + + - name: fetch with normal source path + fetch: src=here.txt dest={{output_dir}} + become: true + register: islurp2 + + - name: ensure all is good in hollywood + assert: + that: + - "'..' not in islurp['dest']" + - "'..' not in islurp2['dest']" + - "'foo' not in islurp['dest']" + - "'foo' not in islurp2['dest']" + + - name: try to trip dest anyways + fetch: src=../injection/here.txt dest={{output_dir}} + become: true + register: islurp2 diff --git a/test/integration/targets/fetch/injection/here.txt b/test/integration/targets/fetch/injection/here.txt new file mode 100644 index 0000000..493021b --- /dev/null +++ b/test/integration/targets/fetch/injection/here.txt @@ -0,0 +1 @@ +this is a test file diff --git a/test/integration/targets/fetch/injection/library/slurp.py b/test/integration/targets/fetch/injection/library/slurp.py new file mode 100644 index 0000000..7b78ba1 --- /dev/null +++ b/test/integration/targets/fetch/injection/library/slurp.py @@ -0,0 +1,29 @@ +#!/usr/bin/python +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + + +DOCUMENTATION = """ + module: fakeslurp + short_desciptoin: fake slurp module + description: + - this is a fake slurp module + options: + _notreal: + description: really not a real slurp + author: + - me +""" + +import json +import random + +bad_responses = ['../foo', '../../foo', '../../../foo', '/../../../foo', '/../foo', '//..//foo', '..//..//foo'] + + +def main(): + print(json.dumps(dict(changed=False, content='', encoding='base64', source=random.choice(bad_responses)))) + + +if __name__ == '__main__': + main() |