From ad5b8a813f5d01a794c3aeaf6c76302a5aa25bc7 Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Thu, 4 Feb 2021 21:54:09 +0100
Subject: [PATCH] Add no_log to some module arguments (#1725) (#1729)

* Add no_log to some module arguments

This will prevent potentially sensitive information from being printed to
the console.

See: CVE-2021-20191

* Update changelogs/fragments/CVE-2021-20191_no_log.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit ae8edc02e1943ef9232312471de389e72bef869c)

Co-authored-by: David Moreau Simard <dmsimard@redhat.com>
---
 changelogs/fragments/CVE-2021-20191_no_log.yml                | 4 ++++
 plugins/module_utils/_netapp.py                               | 4 ++--
 plugins/module_utils/identity/keycloak/keycloak.py            | 2 +-
 .../web_infrastructure/sophos_utm/utm_proxy_auth_profile.py   | 2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/fragments/CVE-2021-20191_no_log.yml

diff --git a/changelogs/fragments/CVE-2021-20191_no_log.yml b/changelogs/fragments/CVE-2021-20191_no_log.yml
new file mode 100644
index 0000000000..a2c8740598
--- /dev/null
+++ b/changelogs/fragments/CVE-2021-20191_no_log.yml
@@ -0,0 +1,4 @@
+security_fixes:
+  - module_utils/_netapp, na_ontap_gather_facts - enabled ``no_log`` for the options ``api_key`` and ``secret_key`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
+  - module_utils/identity/keycloak, keycloak_client, keycloak_clienttemplate, keycloak_group - enabled ``no_log`` for the option ``auth_client_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
+  - utm_proxy_auth_profile - enabled ``no_log`` for the option ``frontend_cookie_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
diff --git a/plugins/module_utils/_netapp.py b/plugins/module_utils/_netapp.py
index d6d0903f16..d80506bb9a 100644
--- a/plugins/module_utils/_netapp.py
+++ b/plugins/module_utils/_netapp.py
@@ -142,8 +142,8 @@ def aws_cvs_host_argument_spec():
     return dict(
         api_url=dict(required=True, type='str'),
         validate_certs=dict(required=False, type='bool', default=True),
-        api_key=dict(required=True, type='str'),
-        secret_key=dict(required=True, type='str')
+        api_key=dict(required=True, type='str', no_log=True),
+        secret_key=dict(required=True, type='str', no_log=True)
     )
 
 
diff --git a/plugins/module_utils/identity/keycloak/keycloak.py b/plugins/module_utils/identity/keycloak/keycloak.py
index 1859d37d0e..5c57e755da 100644
--- a/plugins/module_utils/identity/keycloak/keycloak.py
+++ b/plugins/module_utils/identity/keycloak/keycloak.py
@@ -58,7 +58,7 @@ def keycloak_argument_spec():
         auth_keycloak_url=dict(type='str', aliases=['url'], required=True),
         auth_client_id=dict(type='str', default='admin-cli'),
         auth_realm=dict(type='str', required=True),
-        auth_client_secret=dict(type='str', default=None),
+        auth_client_secret=dict(type='str', default=None, no_log=True),
         auth_username=dict(type='str', aliases=['username'], required=True),
         auth_password=dict(type='str', aliases=['password'], required=True, no_log=True),
         validate_certs=dict(type='bool', default=True)
diff --git a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py
index 489a6c5602..ebd76e3d9c 100644
--- a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py
+++ b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py
@@ -336,7 +336,7 @@ def main():
             backend_user_suffix=dict(type='str', required=False, default=""),
             comment=dict(type='str', required=False, default=""),
             frontend_cookie=dict(type='str', required=False),
-            frontend_cookie_secret=dict(type='str', required=False),
+            frontend_cookie_secret=dict(type='str', required=False, no_log=True),
             frontend_form=dict(type='str', required=False),
             frontend_form_template=dict(type='str', required=False, default=""),
             frontend_login=dict(type='str', required=False),