Closed
Description
SUMMARY
The password is used in the svn command that is run by the subversion module. The password should be passed in via some other mechanism other than as a parameter to avoid the password being read at /proc/<pid>/cmdline on the managed node.
Problematic code:
ansible/lib/ansible/modules/source_control/subversion.py
Lines 138 to 140 in 79dfae9
ISSUE TYPE
- Bug Report
COMPONENT NAME
lib/ansible/modules/source_control/subversion.py
ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
- subversion:
repo: svn+ssh://an.example.org/path/to/repo
dest: /src/checkout
checkout: no
update: no
password: "{{ vault_svn_pass }}"EXPECTED RESULTS
Password is not visible.
ACTUAL RESULTS
Password can be observed at /proc/<pid>/cmdline on the managed node.