diff options
author | Abhijeet Kasurde <akasurde@redhat.com> | 2021-02-06 02:18:57 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-02-05 14:48:57 -0600 |
commit | 4290d704b10b7033367ef060b59c8684ad1cca7f (patch) | |
tree | bf0bfd8ddf0666c6a76a850bab16241df829e4b3 | |
parent | 2282325334c565925f113cd77f74654ad12339d3 (diff) | |
download | ansible-4290d704b10b7033367ef060b59c8684ad1cca7f.tar.gz |
[bp-2.9] bitbucket_pipeline_variable: Hide secured values in console log (#73243)
**SECURITY** - CVE-2021-20180
Hide user sensitive information which is marked as ``secured``
while logging in console.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
-rw-r--r-- | changelogs/fragments/cve_bitbucket_pipeline_variable.yml | 2 | ||||
-rw-r--r-- | lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py | 14 |
2 files changed, 13 insertions, 3 deletions
diff --git a/changelogs/fragments/cve_bitbucket_pipeline_variable.yml b/changelogs/fragments/cve_bitbucket_pipeline_variable.yml new file mode 100644 index 0000000000..f5b175e1ef --- /dev/null +++ b/changelogs/fragments/cve_bitbucket_pipeline_variable.yml @@ -0,0 +1,2 @@ +security_fixes: +- 'bitbucket_pipeline_variable - hide user sensitive information which are marked as ``secured`` from logging into the console (https://github.com/ansible-collections/community.general/pull/1635) (CVE-2021-20180).' diff --git a/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py b/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py index f34cb12f3f..c6b0ad51fe 100644 --- a/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py +++ b/lib/ansible/modules/source_control/bitbucket/bitbucket_pipeline_variable.py @@ -79,7 +79,7 @@ EXAMPLES = r''' secured: '{{ item.secured }}' state: present with_items: - - { name: AWS_ACCESS_KEY, value: ABCD1234 } + - { name: AWS_ACCESS_KEY, value: ABCD1234, secured: False } - { name: AWS_SECRET, value: qwe789poi123vbn0, secured: True } - name: Remove pipeline variable @@ -92,7 +92,7 @@ EXAMPLES = r''' RETURN = r''' # ''' -from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.basic import AnsibleModule, _load_params from ansible.module_utils.source_control.bitbucket import BitbucketHelper error_messages = { @@ -214,6 +214,14 @@ def delete_pipeline_variable(module, bitbucket, variable_uuid): )) +class BitBucketPipelineVariable(AnsibleModule): + def __init__(self, *args, **kwargs): + params = _load_params() or {} + if params.get('secured'): + kwargs['argument_spec']['value'].update({'no_log': True}) + super(BitBucketPipelineVariable, self).__init__(*args, **kwargs) + + def main(): argument_spec = BitbucketHelper.bitbucket_argument_spec() argument_spec.update( @@ -224,7 +232,7 @@ def main(): secured=dict(type='bool', default=False), state=dict(type='str', choices=['present', 'absent'], required=True), ) - module = AnsibleModule( + module = BitBucketPipelineVariable( argument_spec=argument_spec, supports_check_mode=True, ) |