fix: 过滤 localhost 注入问题

apps/ops/models/job.py

@@ -295,10 +295,20 @@ class JobExecution(JMSOrgBaseModel):
         task_id = current_task.request.root_id
         self.task_id = task_id
 
+    def check_danger_keywords(self):
+        lines = self.job.playbook.check_dangerous_keywords()
+        if len(lines) > 0:
+            for line in lines:
+                print('\033[31mThe {} line of the file \'{}\' contains the '
+                      'dangerous keyword \'{}\'\033[0m'.format(line['line'], line['file'], line['keyword']))
+            raise Exception("Playbook contains dangerous keywords")
+
     def start(self, **kwargs):
         self.date_start = timezone.now()
         self.set_celery_id()
         self.save()
+        if self.job.type == 'playbook':
+            self.check_danger_keywords()
         runner = self.get_runner()
         try:
             cb = runner.run(**kwargs)

apps/ops/models/playbook.py

@@ -9,6 +9,13 @@ from ops.const import CreateMethods
 from ops.exception import PlaybookNoValidEntry
 from orgs.mixins.models import JMSOrgBaseModel
 
+dangerous_keywords = (
+    'delegate_to:localhost',
+    'delegate_to:127.0.0.1',
+    'local_action',
+    'connection:local',
+)
+
 
 class Playbook(JMSOrgBaseModel):
     id = models.UUIDField(default=uuid.uuid4, primary_key=True)
@@ -20,6 +27,27 @@ class Playbook(JMSOrgBaseModel):
                                      verbose_name=_('CreateMethod'))
     vcs_url = models.CharField(max_length=1024, default='', verbose_name=_('VCS URL'), null=True, blank=True)
 
+    def check_dangerous_keywords(self):
+        result = []
+        for root, dirs, files in os.walk(self.work_dir):
+            for f in files:
+                if str(f).endswith('.yml') or str(f).endswith('.yaml'):
+                    lines = self.search_keywords(os.path.join(root, f))
+                    if len(lines) > 0:
+                        for line in lines:
+                            result.append({'file': f, 'line': line[0], 'keyword': line[1]})
+        return result
+
+    @staticmethod
+    def search_keywords(file):
+        result = []
+        with open(file, 'r') as f:
+            for line_num, line in enumerate(f):
+                for keyword in dangerous_keywords:
+                    if keyword in line.replace(' ', ''):
+                        result.append((line_num, keyword))
+            return result
+
     @property
     def entry(self):
         work_dir = self.work_dir