Skip to content

Commit fe28767

Browse files
authored
Fixed exposed credentials in exception
Under certain conditions, sensitive connection parameters are shown in tracebacks when Ansible receives an unexpected response (in my case `None`) from `set_options` in ansible-connection. This patch creates a list of sensitive connection parameter names from `ansible.constants`, pulls a list of those values in the `params` that are about to be dumped to the screen and log file, and sends the `params` and list of `sensitive_values` to the `module_utils.common.parameters.remove_values` function for processing to hide them before being exposed.
1 parent 6d2398d commit fe28767

File tree

1 file changed

+18
-1
lines changed

1 file changed

+18
-1
lines changed

Diff for: lib/ansible/module_utils/connection.py

+18-1
Original file line numberDiff line numberDiff line change
@@ -38,10 +38,13 @@
3838
import uuid
3939

4040
from functools import partial
41+
from ansible import constants as C
4142
from ansible.module_utils._text import to_bytes, to_text
4243
from ansible.module_utils.common.json import AnsibleJSONEncoder
44+
from ansible.module_utils.common.parameters import remove_values
4345
from ansible.module_utils.six import iteritems
4446
from ansible.module_utils.six.moves import cPickle
47+
from ansible.utils.helpers import deduplicate_list
4548

4649

4750
def write_to_file_descriptor(fd, obj):
@@ -163,12 +166,26 @@ def _exec_jsonrpc(self, name, *args, **kwargs):
163166
try:
164167
response = json.loads(out)
165168
except ValueError:
166-
params = [repr(arg) for arg in args] + ['{0}={1!r}'.format(k, v) for k, v in iteritems(kwargs)]
169+
sensitive_keys = list(
170+
C.MAGIC_VARIABLE_MAPPING["password"]
171+
+ C.MAGIC_VARIABLE_MAPPING["private_key_file"]
172+
+ C.MAGIC_VARIABLE_MAPPING["become_pass"]
173+
)
174+
sensitive_values = [
175+
v2
176+
for k, v in iteritems(kwargs)
177+
for k2, v2 in iteritems(v)
178+
if k2 in sensitive_keys
179+
]
180+
params = [repr(remove_values(arg, sensitive_values)) for arg in args] + [
181+
"{0}={1!r}".format(k, remove_values(v, sensitive_values))
182+
for k, v in iteritems(kwargs)]
167183
params = ', '.join(params)
168184
raise ConnectionError(
169185
"Unable to decode JSON from response to {0}({1}). Received '{2}'.".format(name, params, out)
170186
)
171187

188+
172189
if response['id'] != reqid:
173190
raise ConnectionError('invalid json-rpc id received')
174191
if "result_type" in response:

0 commit comments

Comments
 (0)