Skip to content

Make sure that all no_log parameters are processed even if some arguments have values of the wrong type #81672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

Make sure that all no_log parameters are processed even if some arguments have values of the wrong type #81672

wants to merge 1 commit into from
+25 −9

Conversation

felixfontein
Copy link
Contributor

SUMMARY

Currently the no_log value processing terminates prematurely if values that should be dictionaries or lists of dictionaries have the wrong type. This can cause values passed to no_log parameters to show up in logs. The reason why that doesn't happen right now is another bug which makes argspec validation crash in that case later on (that bug is fixed in #81631). See the discussion in #81631 for details.

The patch was provided by @s-hertel in #81631 (comment), I added a changelog fragment and refactored the code slightly to remove code duplication.

ISSUE TYPE
  • Bugfix Pull Request

@felixfontein felixfontein mentioned this pull request Sep 9, 2023
Open
@ansibot ansibot added bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. labels Sep 9, 2023
@s-hertel s-hertel added P3 Priority 3 - Approved, No Time Limitation and removed needs_triage Needs a first human triage before being processed. labels Sep 12, 2023
bcoca
bcoca requested changes Sep 12, 2023
View reviewed changes
Copy link
Member

@bcoca bcoca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code lgtm, but would like a test to avoid regressions

@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Sep 12, 2023
@felixfontein
Copy link
Contributor Author

@bcoca it is impossible to test this situation without having #81631 merged, since the bug fixed by #81631 makes the module crash when the code from this PR adds an error message.

Basically the test fixed in 1e61657 serves as a regression test for this PR - but only when #81631 is merged, since without it that test passes because the module crashes, and not necessarily because the code touched in this PR is correct.

s-hertel
s-hertel reviewed Sep 13, 2023
View reviewed changes
changelogs/fragments/81762-no_log.yml
Comment on lines +1 to +2
bugfixes:
- argument spec validation - make sure that all ``no_log`` parameters are processed even if some arguments have values of the wrong type (https://github.com/ansible/ansible/pull/81672).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is just a preventative measure, this should probably be a minor_changes fragment.

Suggested change
bugfixes:
- argument spec validation - make sure that all ``no_log`` parameters are processed even if some arguments have values of the wrong type (https://github.com/ansible/ansible/pull/81672).
minor_changes:
- argument spec validation - process all ``no_log`` parameters recursively before validating the argument spec (https://github.com/ansible/ansible/pull/81672).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once #81631 or something equivalent is merged, this fixes a real CVE-worthy bug.

The only reason this isn't a bug right now is that a crash in another part is preventing this bug to have any effect. It is still a bug IMO.

@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Sep 20, 2023
@ansibot ansibot added the needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html label Mar 5, 2024
@ansibot ansibot added stale_review Updates were made after the last review and the last review is more than 7 days old. and removed needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Mar 17, 2024
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Mar 26, 2024
@ansibot ansibot added the stale_pr This PR has not been pushed to for more than one year. label Mar 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s-hertel s-hertel s-hertel left review comments

@bcoca bcoca bcoca requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
bug This issue/PR relates to a bug. P3 Priority 3 - Approved, No Time Limitation stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_pr This PR has not been pushed to for more than one year. stale_review Updates were made after the last review and the last review is more than 7 days old.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@felixfontein @bcoca @s-hertel @ansibot