Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sumologic callback plugin logging sensitive data #63522

Closed
poblahblahblah opened this issue Oct 15, 2019 · 2 comments · Fixed by #63527
Closed

Sumologic callback plugin logging sensitive data #63522

poblahblahblah opened this issue Oct 15, 2019 · 2 comments · Fixed by #63527
Labels
affects_2.7 This issue/PR affects Ansible v2.7 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@poblahblahblah
Copy link
Contributor

SUMMARY

The sumologic plugin logs sensitive data because no_log is not respected for arguments/vars passed to modules via the ansible_task object

ISSUE TYPE
  • Bug Report
COMPONENT NAME

code where ansible_task is defined: https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/callback/sumologic.py#L107

ANSIBLE VERSION
ansible 2.7.11
  config file = /Users/pobrien/src/ttd/ansible/ansible.cfg
  configured module search path = [u'/Users/pobrien/src/ttd/ansible/library']
  ansible python module location = /Users/pobrien/.pyenv/versions/2.7.15/lib/python2.7/site-packages/ansible
  executable location = /Users/pobrien/.pyenv/versions/2.7.15/bin/ansible
  python version = 2.7.15 (default, Mar 14 2019, 16:12:40) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.10.44.4)]
CONFIGURATION
[defaults]
callback_plugins = ./plugins/callback
callback_whitelist = sumologic
display_skipped_hosts = no

[callback_sumologic]
url = https://sumourl
OS / ENVIRONMENT

MacOS 10.14.6

STEPS TO REPRODUCE

Configure a SumoLogic endpoint and add configuration to ansible.cfg - you can find an example of our callback configs above.

Below we are using a custom module, but this also happens with every other module we've tested. The module we wrote, inventory_node, has no_log: True specified on the api_key argument.

This also happens if no_log: true is passed to any task.

- name: create node in inventory via inventory_node module
  delegate_to: localhost
  connection: local

  inventory_node:
    node_name: "{{ inventory_hostname }}"
    internal_ip: "{{ internal_ip }}"
    role_id: "{{ role_id }}"
    datacenter_id: "{{ datacenter_id }}"
    cluster: "{{ cluster | default(omit) }}"
    instance_id: "{{ instance_id | default(omit) }}"

    api_key: "{{ inventory_api_key }}"
    state: present
EXPECTED RESULTS

I would expect that we not see the api key show up in SumoLogic.

ACTUAL RESULTS

We see the api key show up in our SumoLogic logs. Below is the full JSON payload that is sent and received.

The ansible_result object correctly removes the sensitive field, but ansible_task object does not.

{
  "ansible_check_mode": true,
  "ansible_host": "10.0.0.10",
  "ansible_playbook": "bootstrap.yaml",
  "ansible_result": {
    "_ansible_delegated_vars": {
      "ansible_delegated_host": "localhost",
      "ansible_host": "localhost"
    },
    "_ansible_no_log": false,
    "_ansible_parsed": true,
    "changed": true,
    "debug": {
      "Cluster": 1,
      "CrudStatus": {
        "Description": null,
        "Message": null,
        "Status": true,
        "Target": null,
        "Type": 0
      },
      "DatacenterId": 14,
      "Hostname": "TestClientInstance3KWSRVFUN1423",
      "InstanceId": "i-00000000",
      "InternalIp": "10.0.0.10",
      "ManagementIp": "10.0.0.10",
      "Name": "TestClientInstance3KWSRVFUN1423",
      "NodeId": 0,
      "Password": null,
      "RoleId": 218
    },
    "invocation": {
      "module_args": {
        "api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", # API KEY HIDDEN HERE
        "cluster": 1,
        "datacenter_id": 14,
        "instance_id": "i-00000000",
        "internal_ip": "10.0.0.10",
        "management_ip": "10.0.0.10",
        "node_name": "TestClientInstance3KWSRVFUN1423",
        "role_id": 218,
        "state": "present"
      }
    },
    "msg": "node absent, desired present, and create was successful."
  },
  "ansible_role": "infraflow/inventory_node_create",
  "ansible_task": {
    "action": "inventory_node",
    "any_errors_fatal": false,
    "args": {
      "_ansible_check_mode": false,
      "_ansible_debug": false,
      "_ansible_diff": false,
      "_ansible_keep_remote_files": false,
      "_ansible_module_name": "inventory_node",
      "_ansible_no_log": false,
      "_ansible_remote_tmp": "~/.ansible/tmp",
      "_ansible_selinux_special_fs": [
        "fuse",
        "nfs",
        "vboxsf",
        "ramfs",
        "9p"
      ],
      "_ansible_shell_executable": "/bin/sh",
      "_ansible_socket": null,
      "_ansible_syslog_facility": "LOG_USER",
      "_ansible_tmpdir": null,
      "_ansible_verbosity": 3,
      "_ansible_version": "2.7.7",
      "api_key": "0000-0000-0000-00000000-000000000000", # API KEY IN PLAIN TEXT IS HERE
      "cluster": "1",
      "datacenter_id": "14",
      "instance_id": "i-00000000",
      "internal_ip": "10.0.0.10",
      "management_ip": "10.0.0.10",
      "node_name": "TestClientInstance3KWSRVFUN1423",
      "role_id": "218",
      "state": "present"
    },
    "async": 0,
    "async_val": 0,
    "become": null,
    "become_flags": null,
    "become_method": null,
    "become_user": null,
    "changed_when": [],
    "check_mode": null,
    "connection": "local",
    "debugger": null,
    "delay": 5,
    "delegate_facts": false,
    "delegate_to": "localhost",
    "diff": null,
    "environment": [
      {
        "bootstrap_status": "running",
        "hostname": "TestClientInstance3KWSRVFUN1423"
      }
    ],
    "failed_when": [],
    "ignore_errors": null,
    "ignore_unreachable": null,
    "loop": null,
    "loop_control": null,
    "loop_with": null,
    "module_defaults": [],
    "name": "create node in inventory via inventory api",
    "no_log": null,
    "notify": null,
    "poll": 10,
    "port": null,
    "register": null,
    "remote_user": null,
    "retries": 3,
    "run_once": null,
    "tags": [],
    "until": [],
    "vars": {},
    "when": []
  },
  "ansible_version": "2.7.7",
  "host": "awx",
  "ip_address": "172.17.0.4",
  "runtime": 1.7737,
  "session": "a7d38e86-fc5e-4ab9-a17b-6f6284563afd",
  "status": "OK",
  "timestamp": "2019-10-15 00:00:22 +0000",
  "user": "root",
  "uuid": "0242ac11-0004-ef6c-d1cc-0000000002fe"
}

@ansibot
Copy link
Contributor

ansibot commented Oct 15, 2019

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Oct 15, 2019
poblahblahblah added a commit to poblahblahblah/ansible that referenced this issue Oct 15, 2019
poblahblahblah added a commit to poblahblahblah/ansible that referenced this issue Oct 15, 2019
@poblahblahblah
Copy link
Contributor Author

I did a cursory glance through the splunk callback plugin and I think this impacts splunk as well, but I don't have a splunk subscription so I can't test it to verify.

@ansibot ansibot added the has_pr This issue has an associated PR. label Oct 15, 2019
poblahblahblah added a commit to poblahblahblah/ansible that referenced this issue Oct 16, 2019
poblahblahblah added a commit to poblahblahblah/ansible that referenced this issue Oct 16, 2019
as it can contain sensitive data

Fixes ansible#63522
@samdoran samdoran removed the needs_triage Needs a first human triage before being processed. label Oct 17, 2019
Akasurde pushed a commit to poblahblahblah/ansible that referenced this issue Oct 31, 2019
CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes ansible#63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde pushed a commit that referenced this issue Nov 1, 2019
…ugin(#63527)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes #63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde pushed a commit to Akasurde/ansible that referenced this issue Nov 1, 2019
…unk plugin

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes ansible#63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
Akasurde pushed a commit to Akasurde/ansible that referenced this issue Nov 1, 2019
…unk plugin

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes ansible#63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
nitzmahone pushed a commit that referenced this issue Nov 12, 2019
…unk plugin (#64274)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes #63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
nitzmahone pushed a commit that referenced this issue Nov 12, 2019
…unk plugin (#64273)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes #63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
nitzmahone pushed a commit to nitzmahone/ansible that referenced this issue Nov 12, 2019
…ugin(ansible#63527)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes ansible#63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
nitzmahone added a commit that referenced this issue Nov 13, 2019
…ugin(#63527) (#64748)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes #63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
@ansible ansible locked and limited conversation to collaborators Dec 2, 2019
anshulbehl pushed a commit to anshulbehl/ansible that referenced this issue Dec 10, 2019
…ugin(ansible#63527)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes ansible#63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
affects_2.7 This issue/PR affects Ansible v2.7 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants