Skip to content
This repository has been archived by the owner on Jun 13, 2024. It is now read-only.

warn about disclosure when using certain options #51

Merged
merged 1 commit into from
Mar 11, 2020
Merged

warn about disclosure when using certain options #51

merged 1 commit into from
Mar 11, 2020

Conversation

bcoca
Copy link
Contributor

@bcoca bcoca commented Mar 11, 2020
edited
Loading

SUMMARY

some options push data inline into cli, this is not good when using secrets and can lead to disclosure
CVE-2020-1753

ISSUE TYPE
  • Bugfix Pull Request
  • Docs Pull Request
COMPONENT NAME

kubectl

shanemcd
shanemcd reviewed Mar 11, 2020
View reviewed changes
plugins/connection/kubectl.py
@@ -65,6 +65,7 @@
kubectl_extra_args:
description:
- Extra arguments to pass to the kubectl command line.
- Please be aware that this passes information directly on the command line and it could expose sensitive data.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should you add the We recommend using the file based authentication options instead. here too?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guess not? Looks like this was just merged.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my bad, though I think the password/api key are the only sensitive auth bits you can pass in plain text that you need to work around with file based auth, the other kubectl options are either just paths to files or not sensitive AFAIK

@codecov

This comment has been minimized.

Sign in to view
fabianvf
fabianvf approved these changes Mar 11, 2020
View reviewed changes
Copy link
Collaborator

@fabianvf fabianvf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@fabianvf fabianvf merged commit afc6d9d into master Mar 11, 2020
@bcoca bcoca deleted the warn_cli_options branch March 12, 2020 19:50
@geerlingguy geerlingguy mentioned this pull request Mar 26, 2020
Closed
@bcoca
Copy link
Contributor Author

bcoca commented Apr 3, 2020

backport ansible/ansible#68195

@bcoca bcoca mentioned this pull request Apr 17, 2020
Merged
This was referenced Apr 18, 2020
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@fabianvf fabianvf fabianvf approved these changes

@shanemcd shanemcd shanemcd left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcoca @shanemcd @fabianvf