Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pipe: update docs for Popen with shell=True usage #70596

Merged
merged 1 commit into from Jul 13, 2020
Merged

pipe: update docs for Popen with shell=True usage #70596

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/70261_pipe_lookup.yml
View file
Open in desktop
@@ -0,0 +1,2 @@
minor_changes:
- pipe lookup - update docs for Popen with shell=True usages (https://github.com/ansible/ansible/issues/70159).
21 changes: 14 additions & 7 deletions lib/ansible/plugins/lookup/pipe.py
View file
Open in desktop
Expand Up @@ -4,32 +4,39 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

DOCUMENTATION = """
DOCUMENTATION = r"""
lookup: pipe
author: Daniel Hokka Zakrisson <daniel@hozac.com>
version_added: "0.9"
short_description: read output from a command
description:
- Run a command and return the output
- Run a command and return the output.
options:
_terms:
description: command(s) to run
description: command(s) to run.
required: True
notes:
- Like all lookups this runs on the Ansible controller and is unaffected by other keywords, such as become,
so if you need to different permissions you must change the command or run Ansible as another user.
- Alternatively you can use a shell/command task that runs against localhost and registers the result.
- Pipe lookup internally invokes Popen with shell=True (this is required and intentional).
This type of invocation is considered as security issue if appropriate care is not taken to sanitize any user provided or variable input.
It is strongly recommended to pass user input or variable input via quote filter before using with pipe lookup.
See example section for this.
Read more about this L(Bandit B602 docs,https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html)
"""

EXAMPLES = """
EXAMPLES = r"""
- name: raw result of running date command"
debug: msg="{{ lookup('pipe','date') }}"
debug:
msg: "{{ lookup('pipe', 'date') }}"

- name: Always use quote filter to make sure your variables are safe to use with shell
debug: msg="{{ lookup('pipe','getent ' + myuser|quote ) }}"
debug:
msg: "{{ lookup('pipe', 'getent ' + myuser | quote ) }}"
"""

RETURN = """
RETURN = r"""
_string:
description:
- stdout from command
Expand Down