Skip to content

Commit

Permalink
Fixed exposed credentials in exception
Browse files Browse the repository at this point in the history 
Under certain conditions, sensitive connection parameters are shown in tracebacks when Ansible receives an unexpected response (in my case `None`) from `set_options` in ansible-connection. This patch creates a list of sensitive connection parameter names from `ansible.constants`, pulls a list of those values in the `params` that are about to be dumped to the screen and log file, and sends the `params` and list of `sensitive_values` to the `module_utils.common.parameters.remove_values` function for processing to hide them before being exposed.
  • Loading branch information
@dalrrard
dalrrard committed Jun 7, 2021
1 parent 6d2398d commit fe28767
Showing 1 changed file with 18 additions and 1 deletion.
19 changes: 18 additions & 1 deletion lib/ansible/module_utils/connection.py
View file
Expand Up @@ -38,10 +38,13 @@
import uuid

from functools import partial
from ansible import constants as C
from ansible.module_utils._text import to_bytes, to_text
from ansible.module_utils.common.json import AnsibleJSONEncoder
from ansible.module_utils.common.parameters import remove_values
from ansible.module_utils.six import iteritems
from ansible.module_utils.six.moves import cPickle
from ansible.utils.helpers import deduplicate_list


def write_to_file_descriptor(fd, obj):
Expand Down Expand Up @@ -163,12 +166,26 @@ def _exec_jsonrpc(self, name, *args, **kwargs):
try:
response = json.loads(out)
except ValueError:
params = [repr(arg) for arg in args] + ['{0}={1!r}'.format(k, v) for k, v in iteritems(kwargs)]
sensitive_keys = list(
C.MAGIC_VARIABLE_MAPPING["password"]
+ C.MAGIC_VARIABLE_MAPPING["private_key_file"]
+ C.MAGIC_VARIABLE_MAPPING["become_pass"]
)
sensitive_values = [
v2
for k, v in iteritems(kwargs)
for k2, v2 in iteritems(v)
if k2 in sensitive_keys
]
params = [repr(remove_values(arg, sensitive_values)) for arg in args] + [
"{0}={1!r}".format(k, remove_values(v, sensitive_values))
for k, v in iteritems(kwargs)]
params = ', '.join(params)
raise ConnectionError(
"Unable to decode JSON from response to {0}({1}). Received '{2}'.".format(name, params, out)
)


if response['id'] != reqid:
raise ConnectionError('invalid json-rpc id received')
if "result_type" in response:
Expand Down

0 comments on commit fe28767

Please sign in to comment.