diff options
author | Abhijeet Kasurde <akasurde@redhat.com> | 2021-02-06 02:19:31 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-02-05 14:49:31 -0600 |
commit | bfea16c4f741d4cd10c8e17bf7eed14240345cb5 (patch) | |
tree | e487ca95309c61828833adedd415ca9518adf7bc | |
parent | f8ff395d817c3eddc050f809919c15dfb5796120 (diff) | |
download | ansible-bfea16c4f741d4cd10c8e17bf7eed14240345cb5.tar.gz |
[bp-2.8] bitbucket_pipeline_variable: Hide secured values in console log (#73242)
**SECURITY** - CVE-2021-20180
Hide user sensitive information which is marked as ``secured``
while logging in console.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
-rw-r--r-- | changelogs/fragments/cve_bitbucket_pipeline_variable.yml | 2 | ||||
-rw-r--r-- | lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py | 14 |
2 files changed, 13 insertions, 3 deletions
diff --git a/changelogs/fragments/cve_bitbucket_pipeline_variable.yml b/changelogs/fragments/cve_bitbucket_pipeline_variable.yml new file mode 100644 index 0000000000..f5b175e1ef --- /dev/null +++ b/changelogs/fragments/cve_bitbucket_pipeline_variable.yml @@ -0,0 +1,2 @@ +security_fixes: +- 'bitbucket_pipeline_variable - hide user sensitive information which are marked as ``secured`` from logging into the console (https://github.com/ansible-collections/community.general/pull/1635) (CVE-2021-20180).' diff --git a/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py b/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py index f34cb12f3f..c6b0ad51fe 100644 --- a/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py +++ b/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py @@ -79,7 +79,7 @@ EXAMPLES = r''' secured: '{{ item.secured }}' state: present with_items: - - { name: AWS_ACCESS_KEY, value: ABCD1234 } + - { name: AWS_ACCESS_KEY, value: ABCD1234, secured: False } - { name: AWS_SECRET, value: qwe789poi123vbn0, secured: True } - name: Remove pipeline variable @@ -92,7 +92,7 @@ EXAMPLES = r''' RETURN = r''' # ''' -from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.basic import AnsibleModule, _load_params from ansible.module_utils.source_control.bitbucket import BitbucketHelper error_messages = { @@ -214,6 +214,14 @@ def delete_pipeline_variable(module, bitbucket, variable_uuid): )) +class BitBucketPipelineVariable(AnsibleModule): + def __init__(self, *args, **kwargs): + params = _load_params() or {} + if params.get('secured'): + kwargs['argument_spec']['value'].update({'no_log': True}) + super(BitBucketPipelineVariable, self).__init__(*args, **kwargs) + + def main(): argument_spec = BitbucketHelper.bitbucket_argument_spec() argument_spec.update( @@ -224,7 +232,7 @@ def main(): secured=dict(type='bool', default=False), state=dict(type='str', choices=['present', 'absent'], required=True), ) - module = AnsibleModule( + module = BitBucketPipelineVariable( argument_spec=argument_spec, supports_check_mode=True, ) |