-
Notifications
You must be signed in to change notification settings - Fork 23.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
no_log mask suboption fallback values and defaults CVE-2021-20228 (#7…
- Loading branch information
Showing
7 changed files
with
125 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
security_fixes: | ||
- '**security issue** - Mask default and fallback values for ``no_log`` module options (CVE-2021-20228)' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 31 additions & 0 deletions
31
test/integration/targets/module_utils/callback/pure_json.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# (c) 2021 Ansible Project | ||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) | ||
|
||
from __future__ import (absolute_import, division, print_function) | ||
__metaclass__ = type | ||
|
||
DOCUMENTATION = ''' | ||
name: pure_json | ||
type: stdout | ||
short_description: only outputs the module results as json | ||
''' | ||
|
||
import json | ||
|
||
from ansible.plugins.callback import CallbackBase | ||
|
||
|
||
class CallbackModule(CallbackBase): | ||
|
||
CALLBACK_VERSION = 2.0 | ||
CALLBACK_TYPE = 'stdout' | ||
CALLBACK_NAME = 'pure_json' | ||
|
||
def v2_runner_on_failed(self, result, ignore_errors=False): | ||
self._display.display(json.dumps(result._result)) | ||
|
||
def v2_runner_on_ok(self, result): | ||
self._display.display(json.dumps(result._result)) | ||
|
||
def v2_runner_on_skipped(self, result): | ||
self._display.display(json.dumps(result._result)) |
35 changes: 35 additions & 0 deletions
35
test/integration/targets/module_utils/library/test_no_log.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/usr/bin/python | ||
# (c) 2021 Ansible Project | ||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) | ||
|
||
from __future__ import absolute_import, division, print_function | ||
__metaclass__ = type | ||
|
||
|
||
from ansible.module_utils.basic import AnsibleModule, env_fallback | ||
|
||
|
||
def main(): | ||
module = AnsibleModule( | ||
argument_spec=dict( | ||
explicit_pass=dict(type='str', no_log=True), | ||
fallback_pass=dict(type='str', no_log=True, fallback=(env_fallback, ['SECRET_ENV'])), | ||
default_pass=dict(type='str', no_log=True, default='zyx'), | ||
normal=dict(type='str', default='plaintext'), | ||
suboption=dict( | ||
type='dict', | ||
options=dict( | ||
explicit_sub_pass=dict(type='str', no_log=True), | ||
fallback_sub_pass=dict(type='str', no_log=True, fallback=(env_fallback, ['SECRET_SUB_ENV'])), | ||
default_sub_pass=dict(type='str', no_log=True, default='xvu'), | ||
normal=dict(type='str', default='plaintext'), | ||
), | ||
), | ||
), | ||
) | ||
|
||
module.exit_json(changed=False) | ||
|
||
|
||
if __name__ == '__main__': | ||
main() |
9 changes: 9 additions & 0 deletions
9
test/integration/targets/module_utils/module_utils_test_no_log.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# This is called by module_utils_vvvvv.yml with a custom callback | ||
- hosts: testhost | ||
gather_facts: no | ||
tasks: | ||
- name: Check no_log invocation results | ||
test_no_log: | ||
explicit_pass: abc | ||
suboption: | ||
explicit_sub_pass: def |
27 changes: 27 additions & 0 deletions
27
test/integration/targets/module_utils/module_utils_vvvvv.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
- hosts: testhost | ||
gather_facts: no | ||
tasks: | ||
# Invocation usually is output with 3vs or more, our callback plugin displays it anyway | ||
- name: Check no_log invocation results | ||
command: ansible-playbook -i {{ inventory_file }} module_utils_test_no_log.yml | ||
environment: | ||
ANSIBLE_CALLBACK_PLUGINS: callback | ||
ANSIBLE_STDOUT_CALLBACK: pure_json | ||
SECRET_ENV: ghi | ||
SECRET_SUB_ENV: jkl | ||
register: no_log_invocation | ||
|
||
- set_fact: | ||
no_log_invocation: '{{ no_log_invocation.stdout | trim | from_json }}' | ||
|
||
- name: check no log values from fallback or default are masked | ||
assert: | ||
that: | ||
- no_log_invocation.invocation.module_args.default_pass == 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' | ||
- no_log_invocation.invocation.module_args.explicit_pass == 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' | ||
- no_log_invocation.invocation.module_args.fallback_pass == 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' | ||
- no_log_invocation.invocation.module_args.normal == 'plaintext' | ||
- no_log_invocation.invocation.module_args.suboption.default_sub_pass == 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' | ||
- no_log_invocation.invocation.module_args.suboption.explicit_sub_pass == 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' | ||
- no_log_invocation.invocation.module_args.suboption.fallback_sub_pass == 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' | ||
- no_log_invocation.invocation.module_args.suboption.normal == 'plaintext' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters