New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uri module set string with masked content into content and json output #68400
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
|
Actually we should be masking the non json keys also. |
|
Files identified in the description: If these files are incorrect, please update the |
It's masking the non-json (response.content) value as well. Adding the facts to the debug msg confirms this: - hosts: localhost
connection: local
tasks:
- name: send request
uri:
url: "https://postman-echo.com/get?name=something-with-admin"
user: admin
password: admin
method: GET
force_basic_auth: yes
return_content: yes
status_code: 200
register: response
- name: extract value
vars:
query: args.name
set_fact:
value_json: "{{ response.json.args.name }}"
value_content: "{{ response.content }}"
value_content_parsed: "{{ response.content | from_json | json_query (query) }}"
- name: debug
debug:
msg:
- "{{ value_json }}"
- "{{ value_content }}"
- "{{ value_content_parsed }}"
- "{{ 'something-with-admin' in value_json }}"
- "{{ 'something-with-admin' in value_content }}"
- "{{ 'something-with-admin' in value_content_parsed }}"
- "{{ 'something-with-********' in value_json }}"
- "{{ 'something-with-********' in value_content }}"
- "{{ 'something-with-********' in value_content_parsed }}"
@bcoca, is there work to do here? It sounds like the request is to stop masking the values, but your comment indicates that these values should be masked. |
@rubber-side-down Why is that the case? The module example seems to indicate that it is just a string: |
|
@hungluong5791 I'm uncertain why this is the case, but it's pretty clear from modifying the debug msg spec that this is the case. My best guess is that the response.content is being decoded automatically based on the content-type header. The content-type header is "text/html; charset=UTF-8" for http://www.example.com, but it is "application/json; charset=utf-8" for https://postman-echo.com/get?name=something-with-admin. |
Yes, the request to not mask the values is invalid. In fact this issues identified that we need to mask more data. |
|
@rubber-side-down I see, that might be it. But do you think that behaviour is inherently confusing and unnecessary? That's the entire purpose of the response's |
|
@hungluong5791, I could go either way on the behavior of request content marshaling/deserialization, but it's beyond the scope of this issue. |
|
@hungluong5791 We purposefully mask return values to hide no log values. Because you have chosen a password that also appears in the output, the values are masked. You pointed out a security flaw in our code, and as such, we addressed it. Consider changing your password to some value that is not included in the return values from the API. |
|
@sivel Thank you for getting back. Yes I understand the behaviour and I think I understand where it is coming from. But please consider the following points:
Thanks |
SUMMARY
uri module set string with masked content into content and json output
ISSUE TYPE
COMPONENT NAME
uri
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
The module should return the json/content value with the correct values
ACTUAL RESULTS
The module seems to apply sensitive info masking ('********') to value matching username/password in its output
The text was updated successfully, but these errors were encountered: