Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

no_log mask suboption fallback values and defaults CVE-2021-20228 #73487

Merged
merged 3 commits into from Feb 4, 2021

Conversation

jborean93
Copy link
Contributor

@jborean93 jborean93 commented Feb 4, 2021

SUMMARY

Make sure default and fallback values for no_log fields are masked in the module output.

CVE-2021-20228

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

basic.py

@ansibot ansibot added affects_2.11 bug This issue/PR relates to a bug. collection Related to Ansible Collections work collection:amazon.aws needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Feb 4, 2021
@sivel
Copy link
Member

sivel commented Feb 4, 2021

We'll need a changelog for security_fixes that includes the CVE that I added the summary above.

@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. and removed needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Feb 4, 2021
@ansibot
Copy link
Contributor

ansibot commented Feb 4, 2021

The test ansible-test sanity --test pep8 [explain] failed with 1 error:

lib/ansible/module_utils/basic.py:1938:13: E731: do not assign a lambda expression, use a def

click here for bot help

@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Feb 4, 2021
@ansibot ansibot added needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. and removed ci_verified Changes made in this PR are causing tests to fail. labels Feb 4, 2021
@samdoran
Copy link
Contributor

samdoran commented Feb 4, 2021

I just moved these methods to functions (in my as yet unmerged PR) for use by the arg spec validator. I'll make sure to incorporate these changes once this PR is merged.

@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. and removed needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Feb 4, 2021
Copy link
Contributor

@s-hertel s-hertel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

Copy link
Contributor

@Shrews Shrews left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a fan of the combination of logic here to reduce duplicate code (reads a bit complex), but it seems equivalent.

@jborean93 jborean93 changed the title no_log mask suboption fallback values and defaults no_log mask suboption fallback values and defaults CVE-2021-20228 Feb 4, 2021
@jborean93
Copy link
Contributor Author

Thanks for the review all.

@jborean93 jborean93 merged commit 0cdc410 into ansible:devel Feb 4, 2021
@jborean93 jborean93 deleted the nolog-suboptions branch February 4, 2021 23:12
jborean93 added a commit to jborean93/ansible that referenced this pull request Feb 4, 2021
…sible#73487)

* no_log mask suboption fallback values and defaults

* Added changelog

* Remove lambda expression

(cherry picked from commit 0cdc410)
jborean93 added a commit to jborean93/ansible that referenced this pull request Feb 4, 2021
…sible#73487)

* no_log mask suboption fallback values and defaults

* Added changelog

* Remove lambda expression

(cherry picked from commit 0cdc410)
jborean93 added a commit to jborean93/ansible that referenced this pull request Feb 4, 2021
…sible#73487)

* no_log mask suboption fallback values and defaults

* Added changelog

* Remove lambda expression

(cherry picked from commit 0cdc410)
@jborean93
Copy link
Contributor Author

Backport PRs

2.8 - #73492
2.9 - #73493
2.10 - #73494

relrod pushed a commit that referenced this pull request Feb 5, 2021
relrod pushed a commit to jborean93/ansible that referenced this pull request Feb 5, 2021
…sible#73487)

* no_log mask suboption fallback values and defaults

* Added changelog

* Remove lambda expression

(cherry picked from commit 0cdc410)
relrod pushed a commit that referenced this pull request Feb 7, 2021
relrod pushed a commit that referenced this pull request Feb 7, 2021
@mkrizek mkrizek removed the needs_triage Needs a first human triage before being processed. label Feb 8, 2021
@ansible ansible locked and limited conversation to collaborators Mar 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
affects_2.11 bug This issue/PR relates to a bug. collection:amazon.aws collection Related to Ansible Collections work core_review In order to be merged, this PR must follow the core review workflow. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

7 participants