Add no_log to some module arguments (#1725) (#1729)

* Add no_log to some module arguments This will prevent potentially sensitive information from being printed to the console. See: CVE-2021-20191 * Update changelogs/fragments/CVE-2021-20191_no_log.yml Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit ae8edc02e1) Co-authored-by: David Moreau Simard <dmsimard@redhat.com>
2024-09-14 20:13:21 +02:00 · 2021-02-04 21:54:09 +01:00 · 2021-02-04 21:54:09 +01:00 · ad5b8a813f
commit ad5b8a813f
parent 9cccc9f0cd
4 changed files with 8 additions and 4 deletions
--- a/changelogs/fragments/CVE-2021-20191_no_log.yml
+++ b/changelogs/fragments/CVE-2021-20191_no_log.yml
@ -0,0 +1,4 @@
+security_fixes:
+  - module_utils/_netapp, na_ontap_gather_facts - enabled ``no_log`` for the options ``api_key`` and ``secret_key`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
+  - module_utils/identity/keycloak, keycloak_client, keycloak_clienttemplate, keycloak_group - enabled ``no_log`` for the option ``auth_client_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
+  - utm_proxy_auth_profile - enabled ``no_log`` for the option ``frontend_cookie_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
--- a/plugins/module_utils/_netapp.py
+++ b/plugins/module_utils/_netapp.py
@ -142,8 +142,8 @@ def aws_cvs_host_argument_spec():
    return dict(
        api_url=dict(required=True, type='str'),
        validate_certs=dict(required=False, type='bool', default=True),
-        api_key=dict(required=True, type='str'),
-        secret_key=dict(required=True, type='str')
+        api_key=dict(required=True, type='str', no_log=True),
+        secret_key=dict(required=True, type='str', no_log=True)
    )


--- a/plugins/module_utils/identity/keycloak/keycloak.py
+++ b/plugins/module_utils/identity/keycloak/keycloak.py
@ -58,7 +58,7 @@ def keycloak_argument_spec():
        auth_keycloak_url=dict(type='str', aliases=['url'], required=True),
        auth_client_id=dict(type='str', default='admin-cli'),
        auth_realm=dict(type='str', required=True),
-        auth_client_secret=dict(type='str', default=None),
+        auth_client_secret=dict(type='str', default=None, no_log=True),
        auth_username=dict(type='str', aliases=['username'], required=True),
        auth_password=dict(type='str', aliases=['password'], required=True, no_log=True),
        validate_certs=dict(type='bool', default=True)
--- a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py
+++ b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py
@ -336,7 +336,7 @@ def main():
            backend_user_suffix=dict(type='str', required=False, default=""),
            comment=dict(type='str', required=False, default=""),
            frontend_cookie=dict(type='str', required=False),
-            frontend_cookie_secret=dict(type='str', required=False),
+            frontend_cookie_secret=dict(type='str', required=False, no_log=True),
            frontend_form=dict(type='str', required=False),
            frontend_form_template=dict(type='str', required=False, default=""),
            frontend_login=dict(type='str', required=False),