Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ansible-galaxy - fixup role install failure handling #82052

Draft
wants to merge 5 commits into
base: devel
Choose a base branch
from
Draft

ansible-galaxy - fixup role install failure handling #82052

wants to merge 5 commits into from
+45 −12

Conversation

s-hertel
Copy link
Contributor

@s-hertel s-hertel commented Oct 20, 2023
edited

SUMMARY

Fixes #81965

ddf0311 added sanitization for the tarfile linknames, making '..' invalid for symlinks. This can result in a traceback (if there were no valid parts), or setting symlinks to new paths using the valid parts. This PR restricts that limitation to 'name' again, and instead validates symlinks exist (when we've adjusted them) and that they resolve to a path in the role archive. (Moved to #82165)

This gives an error for invalid parts in the tarfile name/linkname instead of giving a warning and trying to construct a new one.
- I think this is the right behavior for linkname to prevent broken content
- Should I keep it backwards compatible for name in case someone is using the auto-rename-to-something-safe behavior?

Roles are now extracted to a tempdir to prevent partial installs.

Tarfile members outside of the role root are no longer installed (leading to broken roles).

This method is getting long, but refactoring seemed a bit invasive to backport.

  • [] Needs a test for tarfile containing members outside the role root
  • [] Needs a test for rolling back a failed install
  • [] Needs agreement/tests on behavior for invalid components in tarfile member names and linknames - waiting on Targeted fix for installing roles with symlinks containing '..' #82165 since linknames containing '..' aren't safe currently.
ISSUE TYPE
  • Bugfix Pull Request

@s-hertel
Only install a role after it is successfully extracted
b4b6e0a 
Make install more strict about what is extracted from the tarfile:
- fail on invalid content we previously skipped
- give a warning for excluded tarfile content that previously would have been
  included

Allow installing symlinks again, as long at they resolve to a path
within the role

changelog
@ansibot ansibot added bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. has_issue labels Oct 20, 2023
@s-hertel s-hertel mentioned this pull request Oct 20, 2023
Closed
@mkrizek mkrizek removed the needs_triage Needs a first human triage before being processed. label Oct 24, 2023
@s-hertel s-hertel marked this pull request as ready for review October 24, 2023 19:02
@s-hertel s-hertel force-pushed the fix-role-install-misc-and-symlinks branch from 53ecfd5 to 9d54a6d Compare October 24, 2023 19:04
@s-hertel s-hertel marked this pull request as draft October 24, 2023 19:14
@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Oct 24, 2023
@Akasurde Akasurde mentioned this pull request Oct 25, 2023
Closed
1 task
@s-hertel s-hertel force-pushed the fix-role-install-misc-and-symlinks branch from 9d54a6d to f5bc6ad Compare October 25, 2023 15:51
@s-hertel
tidy
81d0a32 
add tests for safe and unsafe relative links in roles
@s-hertel s-hertel force-pushed the fix-role-install-misc-and-symlinks branch from f5bc6ad to 81d0a32 Compare October 25, 2023 15:55
@s-hertel s-hertel marked this pull request as ready for review October 25, 2023 15:55
@ansibot ansibot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Oct 25, 2023
@s-hertel s-hertel mentioned this pull request Oct 26, 2023
Closed
@HarryWeppner HarryWeppner mentioned this pull request Oct 27, 2023
Closed
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Nov 3, 2023
@HarryWeppner
Copy link

@s-hertel and @nitzmahone, this PR promises to fix other galaxy roles as well - do you have an ETA when this will land? Thanks.

s-hertel
s-hertel commented Nov 7, 2023
View reviewed changes
lib/ansible/galaxy/role.py
Comment on lines +420 to +423
# Doesn't happen with our build process, but avoid extracting members that aren't adjacent to the role metadata
display.warning(f"Only extracting members in {n_archive_parent_dir}: ignoring {member.name}")
ignore_external.add(member)
continue
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a tarfile contains something like:

./role-data/
├── role-name
│   ├── meta/main.yml
│   └── tasks
└── hitchhiker
    └── keep

we find the meta/main.yml in the role-name directory, but install all tarfile members (not just those adjacent to the meta directory). On devel this ends up installing an invalid role (and so it needs to be manually deleted to reinstall).

This could be an error instead, but I thought the warning was better at least than installing a broken role.

Should I separate this from the other changes or is it something we want to backport with the symlinks fix?

lib/ansible/galaxy/role.py
Comment on lines +469 to +470
if invalid_parts or not n_final_parts:
raise AnsibleError(f"role content {member.name} is not able to be extracted")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a small change to try to avoid installing broken roles, but is not backwards compatible. Should this affect name and linkname?

@s-hertel s-hertel mentioned this pull request Nov 7, 2023
Merged
@s-hertel
Copy link
Contributor Author

s-hertel commented Nov 7, 2023

@HarryWeppner I don't have an ETA (it needs a review), but I decided to split the symlinks fix into a separate PR #82165 to make it safer to backport, since the other issues this is fixing are not new.

@s-hertel s-hertel removed the request for review from nitzmahone November 7, 2023 21:54
@s-hertel s-hertel changed the title ansible-galaxy - fixup role install failure and symlinks ansible-galaxy - fixup role install failure handling Nov 7, 2023
@s-hertel s-hertel marked this pull request as draft November 7, 2023 21:57
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Nov 7, 2023
webknjaz
webknjaz reviewed Nov 14, 2023
View reviewed changes
lib/ansible/galaxy/collection/__init__.py
@@ -952,7 +952,10 @@ def _tempdir():
try:
yield b_temp_path
finally:
shutil.rmtree(b_temp_path)
try:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nit) using with contextlib.suppress(FileNotFoundError): might read better.

webknjaz
webknjaz reviewed Nov 14, 2023
View reviewed changes
lib/ansible/galaxy/role.py
@@ -412,24 +421,42 @@ def install(self):
# to debug a broken installation.
if not n_part:
continue
if n_part == '..':
if n_part == '..': # TODO: only disallow .. for 'name' once symlinks are validated
invalid_parts |= True
Copy link
Member

@webknjaz webknjaz Nov 14, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(maintainability concern)

Isn't this the same as just

Suggested change
invalid_parts |= True
invalid_parts = True

?

I keep having to re-verify what | does in the REPL whenever I see |=. It might be useful for collection types (sets, for example), but | used with True on any side of the operand always results in True. So why not just use the assignment operator to save the readers some potential confusion?

@webknjaz
Copy link
Member

A rebase should fix the rpmfluff issue in CI.

@webknjaz webknjaz added the ci_verified Changes made in this PR are causing tests to fail. label Nov 28, 2023
@ansibot ansibot added the needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html label Dec 5, 2023
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Dec 12, 2023
@HarryWeppner
Copy link

@s-hertel, I saw that #82165 was merged into devel but none of the backports were merged. Is there a released version of ansible that has the fix for handling ..?

@s-hertel
Copy link
Contributor Author

@HarryWeppner That's correct, it's only been merged to the devel branch.

@s-hertel
Copy link
Contributor Author

@HarryWeppner Backports have been merged, should be fixed in 2.16.3, 2.15.9, and 2.14.4 (RC1 scheduled for Jan 22, GA Jan 29).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webknjaz webknjaz webknjaz left review comments

Assignees
No one assigned
Labels
bug This issue/PR relates to a bug. ci_verified Changes made in this PR are causing tests to fail. has_issue needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TypeError: join() missing 1 required positional argument: 'a' in ansible-galaxy
5 participants
@s-hertel @HarryWeppner @webknjaz @mkrizek @ansibot