validate-modules no_log test: extend search range, add more known false-positives (#73882)

* validate-modules no_log test: extend search range, add more known false-positives.

* Mark false-positives.
pull/73896/head
Felix Fontein 3 years ago committed by GitHub
parent ed18fcac3b
commit 7c0af58449
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -599,9 +599,9 @@ def main():
exclude=dict(type='list', elements='str'),
failovermethod=dict(choices=['roundrobin', 'priority']),
file=dict(),
gpgcakey=dict(),
gpgcakey=dict(no_log=False),
gpgcheck=dict(type='bool'),
gpgkey=dict(type='list', elements='str'),
gpgkey=dict(type='list', elements='str', no_log=False),
module_hotfixes=dict(type='bool'),
http_caching=dict(choices=['all', 'packages', 'none']),
include=dict(),
@ -635,7 +635,7 @@ def main():
sslcacert=dict(aliases=['ca_cert']),
ssl_check_cert_permissions=dict(type='bool'),
sslclientcert=dict(aliases=['client_cert']),
sslclientkey=dict(aliases=['client_key']),
sslclientkey=dict(aliases=['client_key'], no_log=False),
sslverify=dict(type='bool', aliases=['validate_certs']),
state=dict(choices=['present', 'absent'], default='present'),
throttle=dict(),

@ -97,12 +97,12 @@ LOOSE_ANSIBLE_VERSION = LooseVersion('.'.join(ansible_version.split('.')[:3]))
def is_potential_secret_option(option_name):
if not NO_LOG_REGEX.match(option_name):
if not NO_LOG_REGEX.search(option_name):
return False
# If this is a count, type, algorithm, timeout, or name, it is probably not a secret
# If this is a count, type, algorithm, timeout, filename, or name, it is probably not a secret
if option_name.endswith((
'_count', '_type', '_alg', '_algorithm', '_timeout', '_name', '_comment',
'_bits', '_id', '_identifier', '_period',
'_bits', '_id', '_identifier', '_period', '_file', '_filename',
)):
return False
# 'key' also matches 'publickey', which is generally not secret

Loading…
Cancel
Save