* robustness: quote test backup/restore file names
This avoids issues if file names are not safepaths.
* security: use quote with command, shell and validate with variable
Skip quotation only if variable is checked.
Add test suit to excercise some quote use cases.
* robustness: fail if systemd.unit could have something in need of quote
Ensure systemd.unit contents is robust. This disables possibility to
have something that needs to be quoted there. But as ansible lacks
proper way to quote systemd unit files (see man systemd.syntax, rules
are not shell rules), it is better to fail such configs. If you are
trying to do that, you are doing it wrong anyway or have malicious
intent.
Also ensure similar issue with sysctl.conf.
Issue can be seen with `tests_hostkeys_unsafe_path.yml`, when adding
following to role params:
sshd_install_service: true
sshd_config_file: "{{ ansible_facts.env.TMPDIR }}/sshd.d/foo.conf"
sshd_binary: "{{ ansible_facts.env.TMPDIR }}/sshd"
__sshd_runtime_directory: "{{ ansible_facts.env.TMPDIR }}/run"
* tests: Quote also the source filename
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* tests: Add more negative test cases
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* tests: Skip the test with unsafe TMPDIR as it does not work on CentOS8
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* Move the variable checks to separate file ...
... and explain better why this is problematic
Drops also the check for internal variables as the user should not
bother with these.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---------
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Co-authored-by: Markus Linnala <Markus.Linnala@knowit.fi>
