Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

removing args from task_fields as it can contain sensitive data #63527

Merged
merged 1 commit into from Nov 1, 2019
Merged

removing args from task_fields as it can contain sensitive data #63527

merged 1 commit into from Nov 1, 2019

Conversation

poblahblahblah
Copy link
Contributor

SUMMARY

Brute force way of addressing #63522. I considered other alternatives, such as only removing args if no_log was set to true on the task, but it's not guaranteed that no_log will be set on a task that consumes a module where a param has no_log set.

Fixes #63522

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

sumologic callback

ADDITIONAL INFORMATION

@ansibot
Copy link
Contributor

ansibot commented Oct 15, 2019

cc @ryancurrah
click here for bot help

@ansibot ansibot added affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. community_review In order to be merged, this PR must follow the community review workflow. needs_triage Needs a first human triage before being processed. new_contributor This PR is the first contribution by a new community member. small_patch support:community This issue/PR relates to code supported by the Ansible community. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Oct 15, 2019
Akasurde
Akasurde requested changes Oct 16, 2019
View reviewed changes
Copy link
Member

@Akasurde Akasurde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

lib/ansible/plugins/callback/sumologic.py Show resolved Hide resolved
@Akasurde Akasurde added P2 Priority 2 - Issue Blocks Release and removed needs_triage Needs a first human triage before being processed. labels Oct 16, 2019
@poblahblahblah
Copy link
Contributor Author

@Akasurde this is ready for review

@poblahblahblah
Copy link
Contributor Author

ping

@Akasurde
Copy link
Member

Akasurde commented Oct 22, 2019
edited

ping

@poblahblahblah I am waiting for Red Hat Security Team's feedback on this. I will keep you updated on this once I have something.

Thanks.

@ansibot ansibot added stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_review Updates were made after the last review and the last review is more than 7 days old. labels Oct 30, 2019
@poblahblahblah @Akasurde
Callback: removing args from task_fields from Sumologic and Splunk
3926f5d 
CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes ansible#63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde
Akasurde approved these changes Oct 31, 2019
View reviewed changes
Copy link
Member

@Akasurde Akasurde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ansibot ansibot removed stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_review Updates were made after the last review and the last review is more than 7 days old. labels Oct 31, 2019
@abadger
Copy link
Contributor

abadger commented Nov 1, 2019

+1 looks good and ready to backport as well.

@Akasurde Akasurde merged commit c76e074 into ansible:devel Nov 1, 2019
This was referenced Nov 6, 2019
Merged
Merged
nitzmahone pushed a commit to nitzmahone/ansible that referenced this pull request Nov 12, 2019
@poblahblahblah @nitzmahone
Callback: removing args from task_fields from Sumologic and Splunk pl…
0ec5c55 
…ugin(ansible#63527)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes ansible#63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
@nitzmahone nitzmahone mentioned this pull request Nov 12, 2019
Merged
nitzmahone added a commit that referenced this pull request Nov 13, 2019
@nitzmahone
Callback: removing args from task_fields from Sumologic and Splunk pl…
75288a8 
…ugin(#63527) (#64748)

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs

Fixes #63522

Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit c76e074)
@ansible ansible locked and limited conversation to collaborators Dec 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Akasurde Akasurde Akasurde approved these changes

Assignees
No one assigned
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. new_contributor This PR is the first contribution by a new community member. P2 Priority 2 - Issue Blocks Release support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sumologic callback plugin logging sensitive data
4 participants
@poblahblahblah @ansibot @Akasurde @abadger