ansible/CVE-2020-1738.patch

From 52d70d28eac2655a610b57291ca73e6ad33367ea Mon Sep 17 00:00:00 2001
From: Abbijeet Kasurde <akasurde@redhat.com>
Date: Thu, 16 Sep 2021 17:32:34 +0800
Subject: [PATCH] [WIP] Add whitelisting for package and service module

---
 lib/ansible/plugins/action/package.py | 8 ++++++++
 lib/ansible/plugins/action/service.py | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/lib/ansible/plugins/action/package.py b/lib/ansible/plugins/action/package.py
index 932acccb..18acc856 100644
--- a/lib/ansible/plugins/action/package.py
+++ b/lib/ansible/plugins/action/package.py
@@ -56,6 +56,14 @@ class ActionModule(ActionBase):
                 module = facts.get('ansible_facts', {}).get('ansible_pkg_mgr', 'auto')
 
             if module != 'auto':
+                if module not in ['apk','apt_rpm','apt','dnf','homebrew_cask',
+                                 'homebrew_tap','homebrew','installp','macports','mas',
+                                 'openbsd_pkg','opkg','pacman','pkg5','pkgin',
+                                 'pkgng','pkgutil','portage','portinstall','slackpkg',
+                                 'snap','sorcery','svr4pkg','swdepot','swupd',
+                                 'urpmi','xbps','yum','zypper']:
+                    raise AnsibleActionFail('Coudld not find a module for package manager %s.'
+                                            'Try setting the "use" option.'% module)
 
                 if module not in self._shared_loader_obj.module_loader:
                     raise AnsibleActionFail('Could not find a module for %s.' % module)
diff --git a/lib/ansible/plugins/action/service.py b/lib/ansible/plugins/action/service.py
index 3ebd0ae1..d9b0344b 100644
--- a/lib/ansible/plugins/action/service.py
+++ b/lib/ansible/plugins/action/service.py
@@ -61,6 +61,11 @@ class ActionModule(ActionBase):
                 module = 'service'
 
             if module != 'auto':
+                # Check if auto detected module is valid module name or not
+                if module not in ['nosh','openwrt_init','runit',
+                                  'svc','systemd','sysvinit']:
+                    raise AnsibleActionFail('Could not find module for service manager %s.'
+                                             'Try setting the "use" option.')
                 # run the 'service' module
                 new_module_args = self._task.args.copy()
                 if 'use' in new_module_args:
-- 
2.27.0