Variable Injection
Detects variable injection risks and unsafe variable usage
5 rules in variable_injection.yml
HIGH: 4 | MEDIUM: 1
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
dynamic_ | HIGH | Dynamic Include Injection | include_vars / include_tasks targets a {{ … }} expression. A user-controlled include path executes whatever YAML the attacker can stage, with the playbook’s privileges. | |
groupvars_ | HIGH | Group Variables Injection Risk | group_vars[{{ … }}] indexes the group_vars dict by a user-controlled expression. The pattern lets attackers pivot into any group’s variable namespace at runtime. | |
hostvars_ | HIGH | Hostvars Injection Risk | Using hostvars with user-controlled input can lead to variable injection | |
vars_ | HIGH | Variables Lookup Injection | lookup(‘vars’, {{ … }}) reads a variable named by a user-controlled expression. Attackers can pull vault-resident values whose names they would not otherwise know. | |
register_ | MEDIUM | Register Variable Injection | register: ‘{{ … }}’ uses a Jinja expression as the variable name. Attacker-controlled register names overwrite vault-loaded values mid-play. |