Insecure Relative Path Resolution

  • Query id: 8d22ae91-6ac1-459f-95be-d37bd373f244
  • Query name: Insecure Relative Path Resolution
  • Platform: Ansible
  • Severity: Low
  • Category: Best Practices
  • CWE: Ongoing
  • URL: Github

Description

Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: Positive Example
  hosts: localhost
  tasks:
    - name: One
      ansible.builtin.template:
        src: ../templates/foo.j2
        dest: /etc/file.conf
        mode: "0644"
    - name: Two
      ansible.builtin.copy:
        src: ../files/foo.conf
        dest: /etc/foo.conf
        mode: "0644"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
---
- name: Negative Example
  hosts: localhost
  tasks:
    - name: One
      ansible.builtin.copy:
        content:
        dest: /etc/mine.conf
        mode: "0644"
    - name: Two
      ansible.builtin.copy:
        src: /home/example/files/foo.conf
        dest: /etc/foo.conf
        mode: "0644"

---
- name: Negative Example 2
  hosts: localhost
  tasks:
    - name: One
      ansible.builtin.template:
        src: ../example/foo.j2
        dest: /etc/file.conf
        mode: "0644"
    - name: Two
      ansible.builtin.copy:
        src: ../example/foo.conf
        dest: /etc/foo.conf
        mode: "0644"
    - name: Three
      win_template:
        src: ../example/foo2.j2
        dest: /etc/file.conf
        mode: "0644"