From ae8edc02e1943ef9232312471de389e72bef869c Mon Sep 17 00:00:00 2001 From: David Moreau Simard Date: Thu, 4 Feb 2021 15:02:21 -0500 Subject: [PATCH] Add no_log to some module arguments (#1725) * Add no_log to some module arguments This will prevent potentially sensitive information from being printed to the console. See: CVE-2021-20191 * Update changelogs/fragments/CVE-2021-20191_no_log.yml Co-authored-by: Felix Fontein Co-authored-by: Felix Fontein --- changelogs/fragments/CVE-2021-20191_no_log.yml | 4 ++++ plugins/module_utils/_netapp.py | 4 ++-- plugins/module_utils/identity/keycloak/keycloak.py | 2 +- .../web_infrastructure/sophos_utm/utm_proxy_auth_profile.py | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) create mode 100644 changelogs/fragments/CVE-2021-20191_no_log.yml diff --git a/changelogs/fragments/CVE-2021-20191_no_log.yml b/changelogs/fragments/CVE-2021-20191_no_log.yml new file mode 100644 index 0000000000..a2c8740598 --- /dev/null +++ b/changelogs/fragments/CVE-2021-20191_no_log.yml @@ -0,0 +1,4 @@ +security_fixes: + - module_utils/_netapp, na_ontap_gather_facts - enabled ``no_log`` for the options ``api_key`` and ``secret_key`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725). + - module_utils/identity/keycloak, keycloak_client, keycloak_clienttemplate, keycloak_group - enabled ``no_log`` for the option ``auth_client_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725). + - utm_proxy_auth_profile - enabled ``no_log`` for the option ``frontend_cookie_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725). diff --git a/plugins/module_utils/_netapp.py b/plugins/module_utils/_netapp.py index d6d0903f16..d80506bb9a 100644 --- a/plugins/module_utils/_netapp.py +++ b/plugins/module_utils/_netapp.py @@ -142,8 +142,8 @@ def aws_cvs_host_argument_spec(): return dict( api_url=dict(required=True, type='str'), validate_certs=dict(required=False, type='bool', default=True), - api_key=dict(required=True, type='str'), - secret_key=dict(required=True, type='str') + api_key=dict(required=True, type='str', no_log=True), + secret_key=dict(required=True, type='str', no_log=True) ) diff --git a/plugins/module_utils/identity/keycloak/keycloak.py b/plugins/module_utils/identity/keycloak/keycloak.py index 1859d37d0e..5c57e755da 100644 --- a/plugins/module_utils/identity/keycloak/keycloak.py +++ b/plugins/module_utils/identity/keycloak/keycloak.py @@ -58,7 +58,7 @@ def keycloak_argument_spec(): auth_keycloak_url=dict(type='str', aliases=['url'], required=True), auth_client_id=dict(type='str', default='admin-cli'), auth_realm=dict(type='str', required=True), - auth_client_secret=dict(type='str', default=None), + auth_client_secret=dict(type='str', default=None, no_log=True), auth_username=dict(type='str', aliases=['username'], required=True), auth_password=dict(type='str', aliases=['password'], required=True, no_log=True), validate_certs=dict(type='bool', default=True) diff --git a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py index 489a6c5602..ebd76e3d9c 100644 --- a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py +++ b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py @@ -336,7 +336,7 @@ def main(): backend_user_suffix=dict(type='str', required=False, default=""), comment=dict(type='str', required=False, default=""), frontend_cookie=dict(type='str', required=False), - frontend_cookie_secret=dict(type='str', required=False), + frontend_cookie_secret=dict(type='str', required=False, no_log=True), frontend_form=dict(type='str', required=False), frontend_form_template=dict(type='str', required=False, default=""), frontend_login=dict(type='str', required=False),