Restrict role loading .. to role ... (#77683)

* Ansible will now error out if you try to use the `*_from` to load files from outside the role being loaded by `{import,include}_role`

3 files changed, 17 insertions, 0 deletions

diff --git a/test/integration/targets/roles/no_outside.yml b/test/integration/targets/roles/no_outside.yml
new file mode 100644
index 0000000000..cf6fe103c2
--- /dev/null
+++ b/test/integration/targets/roles/no_outside.yml
@@ -0,0 +1,7 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - name: role attempts to load file from outside itself
+      include_role:
+          name: a
+          tasks_from: "{{ playbook_dir }}/tasks/dummy.yml"
diff --git a/test/integration/targets/roles/runme.sh b/test/integration/targets/roles/runme.sh
index 5f11c1fca6..bb98a93292 100755
--- a/test/integration/targets/roles/runme.sh
+++ b/test/integration/targets/roles/runme.sh
@@ -17,3 +17,12 @@ set -eux
 
 # ensure role data is merged correctly
 ansible-playbook data_integrity.yml -i ../../inventory "$@"
+
+# ensure role fails when trying to load 'non role' in  _from
+ansible-playbook no_outside.yml -i ../../inventory "$@" > role_outside_output.log 2>&1 || true
+if grep "as it is not inside the expected role path" role_outside_output.log >/dev/null; then
+  echo "Test passed (playbook failed with expected output, output not shown)."
+else
+  echo "Test failed, expected output from playbook failure is missing, output not shown)."
+  exit 1
+fi
diff --git a/test/integration/targets/roles/tasks/dummy.yml b/test/integration/targets/roles/tasks/dummy.yml
new file mode 100644
index 0000000000..b168b7ab84
--- /dev/null
+++ b/test/integration/targets/roles/tasks/dummy.yml
@@ -0,0 +1 @@
+- debug: msg='this should not run'