mirror of https://github.com/ansible/ansible.git
* sanitize copy module invocation secrets in check mode
(cherry picked from commit 991714b9d1
)
pull/71153/head
parent
59c9a1833e
commit
6cae9a4b16
@ -0,0 +1,7 @@
|
||||
security_fixes:
|
||||
- >
|
||||
**security issue** - copy - Redact the value of the no_log 'content'
|
||||
parameter in the result's invocation.module_args in check mode.
|
||||
Previously when used with check mode and with '-vvv', the module
|
||||
would not censor the content if a change would be made to the
|
||||
destination path. (CVE-2020-14332)
|
@ -0,0 +1,82 @@
|
||||
- block:
|
||||
|
||||
- set_fact:
|
||||
dest: "{{ local_temp_dir }}/test_no_log"
|
||||
|
||||
- name: ensure playbook and dest files don't exist yet
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "{{ local_temp_dir }}/test_no_log.yml"
|
||||
- "{{ dest }}"
|
||||
|
||||
- name: create a playbook to run with command
|
||||
copy:
|
||||
dest: "{{local_temp_dir}}/test_no_log.yml"
|
||||
content: !unsafe |
|
||||
---
|
||||
- hosts: localhost
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- copy:
|
||||
dest: "{{ dest }}"
|
||||
content: "{{ secret }}"
|
||||
|
||||
- name: copy the secret while using -vvv and check mode
|
||||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}} --check"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'SECRET' not in result.stdout"
|
||||
|
||||
- name: copy the secret while using -vvv
|
||||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}}"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'SECRET' not in result.stdout"
|
||||
|
||||
- name: copy the secret while using -vvv and check mode again
|
||||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}} --check"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'SECRET' not in result.stdout"
|
||||
|
||||
- name: copy the secret while using -vvv again
|
||||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=SECRET -e dest={{dest}}"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'SECRET' not in result.stdout"
|
||||
|
||||
- name: copy a new secret while using -vvv and check mode
|
||||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=NEWSECRET -e dest={{dest}} --check"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'NEWSECRET' not in result.stdout"
|
||||
|
||||
- name: copy a new secret while using -vvv
|
||||
command: "ansible-playbook {{local_temp_dir}}/test_no_log.yml -vvv -e secret=NEWSECRET -e dest={{dest}}"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'NEWSECRET' not in result.stdout"
|
||||
|
||||
always:
|
||||
|
||||
- name: remove temp test files
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "{{ local_temp_dir }}/test_no_log.yml"
|
||||
- "{{ dest }}"
|
Loading…
Reference in New Issue