Mark (some ?) Nautobot variables/inputs as unsafe

[u1735067]

ISSUE TYPE

• Bug Report
• Feature Idea

SOFTWARE VERSIONS

pynautobot

1.0.3

Ansible:

2.11.6

Nautobot:

1.1.4

Collection:

v3.1.0

SUMMARY

When using Jinja2 tags in some fields imported from Nautobot (like a config context), Ansible will try to template the string which is likely to fail (and may have security implications if you put something like a lookup).

Maybe this is an Ansible bug (or feature, it seems Ansible' inventory plugins are not doing any value sanitization, but I'm not sure this should be the default). in that case maybe this could be an option (enabled by default) in this plugin?

STEPS TO REPRODUCE

• Create a config context like:

{"my_var": "{{ hi_ansible }}"}

• Use this config context in some playbook like below

- hosts: all
  tasks:
    # Ok for some reason ..
    - ansible.builtin.debug:
        msg: "{{ hostvars[inventory_hostname].config_context.my_var }}"
      run_once: true
      delegate_to: localhost

    # All of them will fail
    - ansible.builtin.debug:
        msg: "{{ config_context.my_var }}"
        # msg: "{{ lookup('list', [config_context.my_var]) }}"
        # msg: "{{ lookup('list', [hostvars[inventory_hostname].config_context.my_var]) }}"
      run_once: true
      delegate_to: localhost
    
    # ->"The task includes an option with an undefined variable. The error was: {[..]}: 'hi_ansible' is undefined"

EXPECTED RESULTS

ok: [my_host -> localhost] => {
    "msg": "{{ hi_ansible }}"
}

ACTUAL RESULTS

"The task includes an option with an undefined variable. The error was: {[..]}: 'hi_ansible' is undefined"

Additional informations

This can be patched by importing from ansible.utils.unsafe_proxy import wrap_var and wrapping values at https://github.com/nautobot/nautobot-ansible/blob/v3.1.0/plugins/inventory/inventory.py#L1409-L1412.

While I checked the changelog before posting this, I couldn't test with a newer version, sorry.