New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jenkins_plugin "params" argument is insecure #30874
Comments
params could be logged so never use it for passwords. Also add code to raise an error if passwords are used in that field. References ansible#30874
params could be logged so never use it for passwords. Also add code to raise an error if passwords are used in that field. References #30874
|
Changed the documentation and also raised an error if params has url_password. I think that will take care of the security aspect of the bug. We can remove the param field in devel to finish off this ticket. |
|
@abadger I see the security risk when password is exposed in logs but I don't like to remove this usability feature completely. Wouldn't be possible to define which fields should be obfuscated from the logs on the module = AnsibleModule(
argument_spec=dict(
...
params=dict(type='dict', nolog=True),
...
)
) |
|
The core team discussed that argument and decided that they didn't think
that was a good idea. You can put it on the public irc meeting agenda,
though.
|
|
I have added it on the agenda for Thursday ;o) |
|
Just thinking about it again and we should not do By "We can remove the param field in devel to finish off this ticket" you meant to remove the whole |
|
Yes, that is what the core team decided they wanted.
|
params could be logged so never use it for passwords. Also add code to raise an error if passwords are used in that field. References ansible#30874
params could be logged so never use it for passwords. Also add code to raise an error if passwords are used in that field. References ansible#30874
It was decided that these options which override Ansible module options from a generic, unchecked dict are an antipattern for Ansible Modules and must be removed: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html Fixes ansible#30874
…le#32708) * Remove the params option from jenkns_plugin and yum_repository It was decided that these options which override Ansible module options from a generic, unchecked dict are an antipattern for Ansible Modules and must be removed: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html Fixes ansible#30874
ISSUE TYPE
COMPONENT NAME
lib/ansible/modules/web_infrastructure/jenkins_plugin.py
ANSIBLE VERSION
CONFIGURATION
N/A
OS / ENVIRONMENT
N/A
SUMMARY
It was noticed that using the jenkins_plugin with username and password would log the password on the remote host. After some digging I discovered that in addition to the normal url_username and url_password arguments for fetch_url() the jenkins_plugin module also has a params argument where arbitrary ansible module arguments can be given. This parameter should go away as it circumvents all the normal argument checking, validation, and normalization.
For url_password, this is bad as using param to send in the url_password instead of the specific url_password argument allows the url_password to be logged. This can be a security problem.
I also found the source of the user's use of param instead of url_username and url_password: the module documentation has an example of using param that has that in it.
STEPS TO FIX
The text was updated successfully, but these errors were encountered: