ansible-lint icon indicating copy to clipboard operation
ansible-lint copied to clipboard

Published 20 hours ago verified publisher icon ansible

risky-shell-pipe false positive: pipe operator in multi-line Jinja template is interpreted as shell pipe

Open lucendio opened this issue 1 year ago • 1 comments

Summary

Using Jinja template with operator | in multi-line (!) shell cmd string is recognized as risky-shell-pipe violation.

Issue Type
  • Bug Report
OS / ENVIRONMENT
ansible-lint --version
ansible-lint 6.21.1 using ansible-core:2.14.11 ansible-compat:4.1.10 ruamel-yaml:0.17.40 ruamel-yaml-clib:0.2.8
Actual / Desired Behavior
- vars:
    values:
      - 'itemA'
      - 'itemB'
  ansible.builtin.shell:
    executable: '/usr/bin/bash'
    cmd: >-
      echo {{
        values | first
      }}

fails while it's not supposed to:

risky-shell-pipe: Shells that use pipes should set the pipefail option.
tasks/example.yaml:1 Task/Handler: shell executable=/usr/bin/bash cmd=echo {{
  values | first
}}

BUT

- vars:
    values:
      - 'itemA'
      - 'itemB'
  ansible.builtin.shell:
    executable: '/usr/bin/bash'
    cmd: >-
      set -o pipefail;
      echo {{
        values | first
      }}

and

- vars:
    values:
      - 'itemA'
      - 'itemB'
  ansible.builtin.shell:
    executable: '/usr/bin/bash'
    cmd: >-
      echo {{ values | first }}

succeed.

While the result of the last 2 examples is expected, the first one is not. If pipe operators are only part of a Jinja template in the cmd string value the rule should not match regardless whether it's multi-line or single-line.

lucendio avatar Nov 02 '23 14:11 lucendio

A PR to improve the behaviour would be more than welcomed here.

ssbarnea avatar Nov 03 '23 13:11 ssbarnea