From 3c91eab0d8f05de39648a8bbe1149a8c4c591fb9 Mon Sep 17 00:00:00 2001
From: Brian Coca <bcoca@users.noreply.github.com>
Date: Tue, 10 Dec 2024 10:07:12 -0500
Subject: copy, prevent internal options in task (#84422)

* copy, prevent internal options in task

fixes #84367
---
 changelogs/fragments/copy_validate_input.yml |  2 ++
 lib/ansible/plugins/action/copy.py           |  7 ++++++-
 test/integration/targets/copy/tasks/main.yml | 14 ++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/copy_validate_input.yml

diff --git a/changelogs/fragments/copy_validate_input.yml b/changelogs/fragments/copy_validate_input.yml
new file mode 100644
index 0000000000..6673def54e
--- /dev/null
+++ b/changelogs/fragments/copy_validate_input.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - copy action now prevents user from setting internal options.
diff --git a/lib/ansible/plugins/action/copy.py b/lib/ansible/plugins/action/copy.py
index 2047671b47..a6de4b05d3 100644
--- a/lib/ansible/plugins/action/copy.py
+++ b/lib/ansible/plugins/action/copy.py
@@ -26,7 +26,7 @@ import tempfile
 import traceback
 
 from ansible import constants as C
-from ansible.errors import AnsibleError, AnsibleFileNotFound
+from ansible.errors import AnsibleError, AnsibleActionFail, AnsibleFileNotFound
 from ansible.module_utils.basic import FILE_COMMON_ARGUMENTS
 from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
 from ansible.module_utils.parsing.convert_bool import boolean
@@ -412,6 +412,11 @@ class ActionModule(ActionBase):
         result = super(ActionModule, self).run(tmp, task_vars)
         del tmp  # tmp no longer has any effect
 
+        # ensure user is not setting internal parameters
+        for internal in ('_original_basename', '_diff_peek'):
+            if self._task.args.get(internal, None) is not None:
+                raise AnsibleActionFail(f'Invalid parameter specified: "{internal}"')
+
         source = self._task.args.get('src', None)
         content = self._task.args.get('content', None)
         dest = self._task.args.get('dest', None)
diff --git a/test/integration/targets/copy/tasks/main.yml b/test/integration/targets/copy/tasks/main.yml
index d46b783d74..eba932f819 100644
--- a/test/integration/targets/copy/tasks/main.yml
+++ b/test/integration/targets/copy/tasks/main.yml
@@ -109,6 +109,20 @@
     - name: tests with remote_src and non files
       import_tasks: src_remote_file_is_not_file.yml
 
+    - name: Test internal options
+      copy:
+        content: 'irrelevant'
+        dest: '{{ local_temp_dir}}/file.txt'
+        _diff_peek: true
+      register: peek
+      ignore_errors: true
+
+    - name: Test internal options
+      assert:
+        that:
+          - peek is failed
+          - "'_diff_peek' in peek['msg']"
+
   always:
     - name: Cleaning
       file:
-- 
cgit v1.2.3