Merge pull request #865 from samdoran/protect-resolved-paths

Prevent deletion of both prohibited paths and their resolved targets If the path is a symlink, only the symlinked path was protected from being deleted, not the target the link pointed to. Add tests to cover this scenario. Reviewed-by: Alan Rominger <arominge@redhat.com> Reviewed-by: David Shrewsbury <None> Reviewed-by: None <None>
ansible · Oct 13, 2021 · 405d8aa · 405d8aa
2 parents 7b31e18 + 6ca6126
commit 405d8aa
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/ansible_runner/cleanup.py b/ansible_runner/cleanup.py
@@ -104,10 +104,11 @@ def delete_associated_folders(dir):
 
 def validate_pattern(pattern):
     # do not let user shoot themselves in foot by deleting these important linux folders
-    prohibited_paths = set(Path(s) for s in (
+    paths = (
         '/', '/bin', '/dev', '/home', '/lib', '/mnt', '/proc',
         '/run', '/sys', '/usr', '/boot', '/etc', '/opt', '/sbin', gettempdir(), '/var'
-    ))
+    )
+    prohibited_paths = {Path(s) for s in paths}.union(Path(s).resolve() for s in paths)
     bad_paths = [dir for dir in glob.glob(pattern) if Path(dir).resolve() in prohibited_paths]
     if bad_paths:
         raise RuntimeError(

diff --git a/test/unit/test_cleanup.py b/test/unit/test_cleanup.py
@@ -1,4 +1,5 @@
 import os
+import pathlib
 import random
 import time
 
@@ -80,6 +81,15 @@ def test_registry_auth_cleanup(tmp_path):
         ('/hom*', '/home'),
     )
 )
-def test_validate_pattern(pattern, match):
+def test_validate_pattern(pattern, match, monkeypatch):
+    def mock_resolve(path):
+        resolved = pathlib.Path(path)
+        if path.as_posix().startswith('/hom'):
+            resolved = pathlib.Path('/System/Volumes/Data/home')
+
+        return resolved
+
+    monkeypatch.setattr('ansible_runner.cleanup.Path.resolve', mock_resolve)
+
     with pytest.raises(RuntimeError, match=match):
         validate_pattern(pattern)