forked from ansible/ansible
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
copy - redact 'content' from invocation in check mode (ansible#71033) (…
…ansible#71069) * sanitize copy module invocation secrets in check mode (cherry picked from commit 991714b)
- Loading branch information
Showing
4 changed files
with
98 additions
and
2 deletions.
There are no files selected for viewing
7 changes: 7 additions & 0 deletions
7
changelogs/fragments/copy-sanitize-check-mode-invocation-args.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
security_fixes: | ||
- > | ||
**security issue** - copy - Redact the value of the no_log 'content' | ||
parameter in the result's invocation.module_args in check mode. | ||
Previously when used with check mode and with '-vvv', the module | ||
would not censor the content if a change would be made to the | ||
destination path. (CVE-2020-14332) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
- block: | ||
|
||
- set_fact: | ||
dest: "{{ local_temp_dir }}/test_no_log" | ||
|
||
- name: ensure playbook and dest files don't exist yet | ||
file: | ||
path: "{{ item }}" | ||
state: absent | ||
loop: | ||
- "{{ local_temp_dir }}/test_no_log.yml" | ||
- "{{ dest }}" | ||
|
||
- name: create a playbook to run with command | ||
copy: | ||
dest: "{{local_temp_dir}}/test_no_log.yml" | ||
content: !unsafe | | ||
--- | ||
- hosts: localhost | ||
gather_facts: no | ||
tasks: | ||
- copy: | ||
dest: "{{ dest }}" | ||
content: "{{ secret }}" | ||
- name: copy the secret while using -vvv and check mode | ||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}} --check" | ||
register: result | ||
|
||
- assert: | ||
that: | ||
- "'SECRET' not in result.stdout" | ||
|
||
- name: copy the secret while using -vvv | ||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}}" | ||
register: result | ||
|
||
- assert: | ||
that: | ||
- "'SECRET' not in result.stdout" | ||
|
||
- name: copy the secret while using -vvv and check mode again | ||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}} --check" | ||
register: result | ||
|
||
- assert: | ||
that: | ||
- "'SECRET' not in result.stdout" | ||
|
||
- name: copy the secret while using -vvv again | ||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}}" | ||
register: result | ||
|
||
- assert: | ||
that: | ||
- "'SECRET' not in result.stdout" | ||
|
||
- name: copy a new secret while using -vvv and check mode | ||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=NEWSECRET -e dest={{dest}} --check" | ||
register: result | ||
|
||
- assert: | ||
that: | ||
- "'NEWSECRET' not in result.stdout" | ||
|
||
- name: copy a new secret while using -vvv | ||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=NEWSECRET -e dest={{dest}}" | ||
register: result | ||
|
||
- assert: | ||
that: | ||
- "'NEWSECRET' not in result.stdout" | ||
|
||
always: | ||
|
||
- name: remove temp test files | ||
file: | ||
path: "{{ item }}" | ||
state: absent | ||
loop: | ||
- "{{ local_temp_dir }}/test_no_log.yml" | ||
- "{{ dest }}" |