Fix installing roles containing safe symlinks #82911

s-hertel · 2024-03-25T17:54:57Z

SUMMARY

Fix setting symlinks relative to the link's directory by using the original value instead of the resolved path when it contains ...

For example:

role
├── handlers
│ └── utils.yml -> ../tasks/utils/suite.yml

The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role: role/tasks/utils/suite.yml. The path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, it would be extracted as the incorrect path role/handlers/tasks/utils/suite.yml.

Simplify unfrackpath and is_subdir calls

Reduce test setup/cleanup/improve readability by moving the role containing valid symlinks into files/

ISSUE TYPE

Bugfix Pull Request

symlinks containing '..' must be set to the original value instead of the resolved path. For example: role ├── handlers │ └── utils.yml -> ../tasks/utils/suite.yml The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role (assuming the file exists) role/handlers/../tasks/utils/suite.yml resolves to role/tasks/utils/suite.yml the path relative to the role is tasks/utils/suite.yml, but if we set the symlink to that value, it would be extracted as the incorrect path role/handlers/tasks/utils/suite.yml Improve test case readability by building it from role files changelog

test/integration/targets/ansible-galaxy-role/tasks/valid-role-symlinks.yml

test/integration/targets/ansible-galaxy-role/meta/main.yml

changelogs/fragments/ansible-galaxy-role-install-symlink.yml

* Fix installing roles containing symlinks Fix sanitizing tarfile symlinks relative to the link directory instead of the archive For example: role ├── handlers │ └── utils.yml -> ../tasks/utils/suite.yml The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role role/handlers/../tasks/utils/suite.yml the resolved path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, tarfile would extract it from role/handlers/tasks/utils/suite.yml * Replace overly forgiving test case with tests for a symlink in a subdirectory of the archive and a symlink in the archive dir when these are not equivalent. * Build test case from role files to make it easier to add test cases Fixes ansible#82702 Fixes ansible#81965 Fixes ansible#82051 (cherry picked from commit e84240d)

* Fix installing roles containing symlinks Fix sanitizing tarfile symlinks relative to the link directory instead of the archive For example: role ├── handlers │ └── utils.yml -> ../tasks/utils/suite.yml The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role role/handlers/../tasks/utils/suite.yml the resolved path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, tarfile would extract it from role/handlers/tasks/utils/suite.yml * Replace overly forgiving test case with tests for a symlink in a subdirectory of the archive and a symlink in the archive dir when these are not equivalent. * Build test case from role files to make it easier to add test cases Fixes #82702 Fixes #81965 Fixes #82051 (cherry picked from commit e84240d)

ansibot added bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. has_issue labels Mar 25, 2024

s-hertel added the unimportant_ci This PR does not need to have healthy CI status and should be ignored by the CI infra maintainers. label Mar 25, 2024

s-hertel marked this pull request as draft March 25, 2024 18:05

s-hertel force-pushed the fix-role-symlinks branch from f5f45aa to db75b7a Compare March 25, 2024 18:17

s-hertel marked this pull request as ready for review March 25, 2024 18:17

s-hertel added unimportant_ci This PR does not need to have healthy CI status and should be ignored by the CI infra maintainers. and removed unimportant_ci This PR does not need to have healthy CI status and should be ignored by the CI infra maintainers. labels Mar 25, 2024

s-hertel marked this pull request as draft March 25, 2024 18:26

ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Mar 25, 2024

s-hertel marked this pull request as ready for review March 25, 2024 20:27

s-hertel added ci_verified Changes made in this PR are causing tests to fail. and removed unimportant_ci This PR does not need to have healthy CI status and should be ignored by the CI infra maintainers. needs_triage Needs a first human triage before being processed. labels Mar 25, 2024

ansibot added needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Apr 9, 2024

s-hertel force-pushed the fix-role-symlinks branch from 3f5cf57 to d9b070f Compare April 17, 2024 17:24

s-hertel force-pushed the fix-role-symlinks branch from b7638e0 to 4215c2c Compare April 18, 2024 00:08

s-hertel commented Apr 22, 2024

View reviewed changes

test/integration/targets/ansible-galaxy-role/tasks/valid-role-symlinks.yml Show resolved Hide resolved

test/integration/targets/ansible-galaxy-role/meta/main.yml Outdated Show resolved Hide resolved

Apply suggestions from code review

3a6aae7

s-hertel commented Apr 22, 2024

View reviewed changes

changelogs/fragments/ansible-galaxy-role-install-symlink.yml Outdated Show resolved Hide resolved

Update changelogs/fragments/ansible-galaxy-role-install-symlink.yml

d4c86e7

ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 22, 2024

s-hertel commented Apr 23, 2024

View reviewed changes

changelogs/fragments/ansible-galaxy-role-install-symlink.yml Outdated Show resolved Hide resolved

Update changelogs/fragments/ansible-galaxy-role-install-symlink.yml

91b9813

s-hertel merged commit e84240d into ansible:devel Apr 24, 2024
66 checks passed

jsf9k mentioned this pull request May 3, 2024

Revert ansible-core pin when that becomes possible cisagov/skeleton-ansible-role#178

Closed

ansible locked and limited conversation to collaborators May 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix installing roles containing safe symlinks #82911

Fix installing roles containing safe symlinks #82911

s-hertel commented Mar 25, 2024 •

edited

Loading

Fix installing roles containing safe symlinks #82911

Fix installing roles containing safe symlinks #82911

Conversation

s-hertel commented Mar 25, 2024 • edited Loading

SUMMARY

ISSUE TYPE

s-hertel commented Mar 25, 2024 •

edited

Loading