diff --git a/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml b/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml new file mode 100644 index 00000000000..a5be03a6bab --- /dev/null +++ b/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml @@ -0,0 +1,9 @@ +--- +bugfixes: +- '**Security Fix** - Some connection exceptions would cause no_log specified on + a task to be ignored. If this happened, the task information, including any + private information could have been displayed to stdout and (if enabled, not + the default) logged to a log file specified in ansible.cfg''s log_path. + Additionally, sites which redirected stdout from ansible runs to a log file + may have stored that private information onto disk that way as well. + (https://github.com/ansible/ansible/pull/41414)' diff --git a/lib/ansible/executor/task_result.py b/lib/ansible/executor/task_result.py index 40a492d7d8c..6609e066989 100644 --- a/lib/ansible/executor/task_result.py +++ b/lib/ansible/executor/task_result.py @@ -110,7 +110,7 @@ class TaskResult: else: ignore = _IGNORE - if self._result.get('_ansible_no_log', False): + if self._task.no_log or self._result.get('_ansible_no_log', False): x = {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"} for preserve in _PRESERVE: if preserve in self._result: diff --git a/test/integration/targets/no_log/no_log_local.yml b/test/integration/targets/no_log/no_log_local.yml index bf02468f224..69a55fdb4fe 100644 --- a/test/integration/targets/no_log/no_log_local.yml +++ b/test/integration/targets/no_log/no_log_local.yml @@ -63,3 +63,30 @@ - name: args should be logged when task-level no_log overrides play-level shell: echo "LOG_ME_OVERRIDE" no_log: false + + - name: Add a fake host for next play + add_host: + hostname: fake + +- name: use 'fake' unreachable host to force unreachable error + hosts: fake + gather_facts: no + connection: ssh + tasks: + - name: Fail to run a lineinfile task + vars: + logins: + - machine: foo + login: bar + password: DO_NOT_LOG_UNREACHABLE_ITEM + - machine: two + login: three + password: DO_NOT_LOG_UNREACHABLE_ITEM + lineinfile: + path: /dev/null + mode: 0600 + create: true + insertafter: EOF + line: "machine {{ item.machine }} login {{ item.login }} password {{ item.password }}" + loop: "{{ logins }}" + no_log: true