Updated AnsibleUnsafe notes (rest)

Alex Willmer 2024-03-25 22:44:14 +00:00
parent 5b61655560
commit a46836daba
1 changed files with 12 additions and 6 deletions

@ -31,8 +31,8 @@ Origin Where unsafe is applied
=================== ========================================================= =================== =========================================================
Implementation internals Implementation details
------------------------ ----------------------
``AnsibleUnsafe`` objects are marked by the attribute ``__UNSAFE__=True``. ``AnsibleUnsafe`` objects are marked by the attribute ``__UNSAFE__=True``.
In Ansible <= 6 (ansible-core <= 2.13) casting to the base type removes it In Ansible <= 6 (ansible-core <= 2.13) casting to the base type removes it
@ -191,18 +191,24 @@ Run ansible and view the file contents
File ".../ansible/utils/unsafe_proxy.py", line 208, in _strip_unsafe File ".../ansible/utils/unsafe_proxy.py", line 208, in _strip_unsafe
traceback.print_stack(file=f) traceback.print_stack(file=f)
Discussion
----------
Observations Observations
------------
- ``ansible.utils.unsafe_proxy.*`` is only available on the Ansible controller. - ``ansible.utils.unsafe_proxy.*`` is only available on the Ansible controller.
The module isn't part of ``ansible.module_utils``, so not available on targets. The module isn't part of ``ansible.module_utils``, so not available on targets.
- Pickling/unpickling does not strip the unsafe marker. - Pickling/unpickling does not strip the unsafe marker.
- JSON encoding/decoding strips the unsafe marker. This happens to
``AnsibleModule`` arguments serialised in
``ansible.executor.module_common._find_module_utils()``.
Discussion
----------
Informed guesses of rules/design principals Informed guesses of rules/design principals
- The Ansible controller is the most valued security boundary, then targets. - The Ansible controller is the most valued security perimeter.
- Targets are required/assumed to trust all input from the controller.
By design they execute any arbitrary code that it sends.
- All templating should/does happen on the controller (80% sure). - All templating should/does happen on the controller (80% sure).
- Ansible targets cannot/should not try to mark a value as safe or unsafe. - Ansible targets cannot/should not try to mark a value as safe or unsafe.
The controller couldn't trust that determination anyway. The controller couldn't trust that determination anyway.