-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mask rendered data (in logs) #48291
Mask rendered data (in logs) #48291
Conversation
salt/utils/sanitizers.py
Outdated
for line in data.split(os.linesep): | ||
if fnmatch.fnmatch(line.strip(), mask) and ':' in line: | ||
key, value = line.split(':', 1) | ||
out.append('{}: {}'.format(key.strip(), '** hidden **')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just as a precaution, key.strip()
should probably be salt.utils.stringutils.to_unicode(key.strip())
, to prevent a UnicodeDecodeError
if key
happens to be a str
type with non-ascii unicode in it.
salt/utils/sanitizers.py
Outdated
|
||
Note, this is working only when data is a single string, | ||
ready for print or dump to the log. Also, when the data is formatted | ||
as "key: value" in YAML syntax. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we reword the above two paragraphs like this?
This can be used for cases where keys in your roster file may contain
sensitive data such as IP addresses, passwords, user names, etc.
Note that this works only when ``data`` is a single string (i.e. when the
data in the roster is formatted as ``key: value`` pairs in YAML syntax).
@terminalmage done! |
What does this PR do?
What issues does this PR fix or reference?
When you call
salt-ssh -l debug
, you will get the entire roster with the passwords directly in the log. This PR fixes this by matchingkey: value
strings in the output data and replaces YAML values with the** hidden **
string. This can be applied for passwords, user IDs, actual IP addresses etc.NOTE: this is so far is limited only to
key: value
wherevalue
is replaced. Feel free to extend it for IP addresses etc.Tests written?
Yes