nautobot-ansible
nautobot-ansible copied to clipboard
Mark (some ?) Nautobot variables/inputs as unsafe
ISSUE TYPE
- Bug Report
- Feature Idea
SOFTWARE VERSIONS
pynautobot
1.0.3
Ansible:
2.11.6
Nautobot:
1.1.4
Collection:
v3.1.0
SUMMARY
When using Jinja2 tags in some fields imported from Nautobot (like a config context), Ansible will try to template the string which is likely to fail (and may have security implications if you put something like a lookup
).
Maybe this is an Ansible bug (or feature, it seems Ansible' inventory plugins are not doing any value sanitization, but I'm not sure this should be the default). in that case maybe this could be an option (enabled by default) in this plugin?
STEPS TO REPRODUCE
- Create a config context like:
{"my_var": "{{ hi_ansible }}"}
- Use this config context in some playbook like below
- hosts: all
tasks:
# Ok for some reason ..
- ansible.builtin.debug:
msg: "{{ hostvars[inventory_hostname].config_context.my_var }}"
run_once: true
delegate_to: localhost
# All of them will fail
- ansible.builtin.debug:
msg: "{{ config_context.my_var }}"
# msg: "{{ lookup('list', [config_context.my_var]) }}"
# msg: "{{ lookup('list', [hostvars[inventory_hostname].config_context.my_var]) }}"
run_once: true
delegate_to: localhost
# ->"The task includes an option with an undefined variable. The error was: {[..]}: 'hi_ansible' is undefined"
EXPECTED RESULTS
ok: [my_host -> localhost] => {
"msg": "{{ hi_ansible }}"
}
ACTUAL RESULTS
"The task includes an option with an undefined variable. The error was: {[..]}: 'hi_ansible' is undefined"
Additional informations
This can be patched by importing from ansible.utils.unsafe_proxy import wrap_var
and wrapping values at https://github.com/nautobot/nautobot-ansible/blob/v3.1.0/plugins/inventory/inventory.py#L1409-L1412.
While I checked the changelog before posting this, I couldn't test with a newer version, sorry.