From 19e9f3dae23e77bb59d934871d6d1e76b75bb0a2 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 8 Apr 2025 07:53:36 -0700
Subject: [PATCH] basic: remember the user sensitive information to use later
 (#84699)

* Git allows embedding username and password in repo URL for
  https authentication. This may lead to exposing the user sensitive
  information to logs and unautheticated users.
  Adding no_log will partially solve this.
* Added documentation warning user about URL embedded with username
  and password.
* Added logic to remember user sensitive information for later sanitization

Fixes: #84557

Signed-off-by: Abhijeet Kasurde <Akasurde@redhat.com>
---
 changelogs/fragments/no_log.yml                |  3 +++
 lib/ansible/module_utils/basic.py              |  3 +++
 lib/ansible/modules/git.py                     |  4 ++++
 test/integration/targets/git/tasks/formats.yml | 13 +++++++++++++
 test/integration/targets/git/tasks/main.yml    | 18 ++----------------
 test/integration/targets/git/vars/main.yml     |  1 +
 6 files changed, 26 insertions(+), 16 deletions(-)
 create mode 100644 changelogs/fragments/no_log.yml

diff --git a/changelogs/fragments/no_log.yml b/changelogs/fragments/no_log.yml
new file mode 100644
index 00000000000..54ec3c2bdc9
--- /dev/null
+++ b/changelogs/fragments/no_log.yml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - basic - remember password for later sanitization of sensitive information (https://github.com/ansible/ansible/issues/84557).
diff --git a/lib/ansible/module_utils/basic.py b/lib/ansible/module_utils/basic.py
index fbc5ea17630..1d2978bca6c 100644
--- a/lib/ansible/module_utils/basic.py
+++ b/lib/ansible/module_utils/basic.py
@@ -288,6 +288,9 @@ def heuristic_log_sanitize(data, no_log_values=None):
             output.insert(0, data[end:prev_begin])
             output.insert(0, '********')
             output.insert(0, data[begin:sep + 1])
+            # Remember the password for later log sanitization
+            if no_log_values is not None:
+                no_log_values.add(data[sep + 1:end])
             prev_begin = begin
 
     output = ''.join(output)
diff --git a/lib/ansible/modules/git.py b/lib/ansible/modules/git.py
index 14d26195461..f7b5ae9752f 100644
--- a/lib/ansible/modules/git.py
+++ b/lib/ansible/modules/git.py
@@ -21,6 +21,10 @@ options:
     repo:
         description:
             - git, SSH, or HTTP(S) protocol address of the git repository.
+            - Avoid embedding usernames and passwords within Git repository URLs.
+              This practice is insecure and can lead to unauthorized access to your repositories.
+              For secure authentication, configure SSH keys (recommended) or use a credential helper.
+              See Git documentation on SSH keys/credential helpers for instructions.
         type: str
         required: true
         aliases: [ name ]
diff --git a/test/integration/targets/git/tasks/formats.yml b/test/integration/targets/git/tasks/formats.yml
index e5fcda72164..5b4d4e3b38b 100644
--- a/test/integration/targets/git/tasks/formats.yml
+++ b/test/integration/targets/git/tasks/formats.yml
@@ -38,3 +38,16 @@
   assert:
     that:
       - "not git_result2.changed"
+
+- name: FORMATS | check for sensitive information in repo
+  git:
+    repo: "{{ repo_format4 }}"
+    dest: "{{ repo_dir }}/format4"
+  register: format4
+  ignore_errors: yes
+
+- name: FORMATS | assert absence of repo
+  assert:
+    that:
+      - not format4.changed
+      - "'********@https' in format4.stderr"
diff --git a/test/integration/targets/git/tasks/main.yml b/test/integration/targets/git/tasks/main.yml
index 228aaf01484..dd4eb08db08 100644
--- a/test/integration/targets/git/tasks/main.yml
+++ b/test/integration/targets/git/tasks/main.yml
@@ -1,20 +1,6 @@
 # test code for the git module
-# (c) 2014, James Tanner <tanner.jc@gmail.com>
-
-# This file is part of Ansible
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright: (c) 2014, James Tanner <tanner.jc@gmail.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
 # NOTE: Moving `$HOME` to tmp dir allows this integration test be
 # NOTE: non-destructive. There is no other way to instruct Git use a custom
diff --git a/test/integration/targets/git/vars/main.yml b/test/integration/targets/git/vars/main.yml
index 55c7c4384a0..db58ca648dd 100644
--- a/test/integration/targets/git/vars/main.yml
+++ b/test/integration/targets/git/vars/main.yml
@@ -33,6 +33,7 @@ separate_git_dir: '{{ remote_tmp_dir }}/sep_git_dir'
 repo_format1: 'https://github.com/jimi-c/test_role'
 repo_format2: 'git@github.com:jimi-c/test_role.git'
 repo_format3: 'ssh://git@github.com/jimi-c/test_role.git'
+repo_format4: 'username:password@https://github.com/thisdoesnotexists/test_role'  # This is an invalid Git protocol, added here for testing
 repo_submodules: 'https://github.com/abadger/test_submodules_newer.git'
 repo_submodule1: 'https://github.com/abadger/test_submodules_subm1.git'
 repo_submodule2: 'https://github.com/abadger/test_submodules_subm2.git'