[bp-2.9] bitbucket_pipeline_variable: Hide secured values in console log (#73243)

**SECURITY** - CVE-2021-20180 Hide user sensitive information which is marked as ``secured`` while logging in console. Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
5 years ago · 4290d704b1
parent 2282325334
commit 4290d704b1
2 changed files with 13 additions and 3 deletions
--- a/changelogs/fragments/cve_bitbucket_pipeline_variable.yml
+++ b/changelogs/fragments/cve_bitbucket_pipeline_variable.yml
@ -0,0 +1,2 @@
+security_fixes:
+- 'bitbucket_pipeline_variable - hide user sensitive information which are marked as ``secured`` from logging into the console (https://github.com/ansible-collections/community.general/pull/1635) (CVE-2021-20180).'
--- a/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py
+++ b/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py
@ -79,7 +79,7 @@ EXAMPLES = r'''
    secured: '{{ item.secured }}'
    state: present
  with_items:
-    - { name: AWS_ACCESS_KEY, value: ABCD1234 }
+    - { name: AWS_ACCESS_KEY, value: ABCD1234, secured: False }
    - { name: AWS_SECRET, value: qwe789poi123vbn0, secured: True }

 - name: Remove pipeline variable
@ -92,7 +92,7 @@ EXAMPLES = r'''

 RETURN = r''' # '''

-from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.basic import AnsibleModule, _load_params
 from ansible.module_utils.source_control.bitbucket import BitbucketHelper

 error_messages = {
@ -214,6 +214,14 @@ def delete_pipeline_variable(module, bitbucket, variable_uuid):
        ))


+class BitBucketPipelineVariable(AnsibleModule):
+    def __init__(self, *args, **kwargs):
+        params = _load_params() or {}
+        if params.get('secured'):
+            kwargs['argument_spec']['value'].update({'no_log': True})
+        super(BitBucketPipelineVariable, self).__init__(*args, **kwargs)
+
+
 def main():
    argument_spec = BitbucketHelper.bitbucket_argument_spec()
    argument_spec.update(
@ -224,7 +232,7 @@ def main():
        secured=dict(type='bool', default=False),
        state=dict(type='str', choices=['present', 'absent'], required=True),
    )
-    module = AnsibleModule(
+    module = BitBucketPipelineVariable(
        argument_spec=argument_spec,
        supports_check_mode=True,
    )