diff options
| author | Toshio Kuratomi <a.badger@gmail.com> | 2018-06-12 12:28:29 -0700 |
|---|---|---|
| committer | Matt Davis <nitzmahone@users.noreply.github.com> | 2018-06-12 12:28:29 -0700 |
| commit | 698b8e04f31b3d1a7bd0e6ca41c0470d6536939a (patch) | |
| tree | f0b79e939557e3256c858dc688f0dc0a01f7a70b | |
| parent | 0a6bff20d068e98d15a40b58ab4da30494326645 (diff) | |
| download | ansible-698b8e04f31b3d1a7bd0e6ca41c0470d6536939a.tar.gz | |
Bkprt nolog fix (#41453)
* no_log even when task_result doesn't provide key
- now also checks task property
- added reproducer to tests for unreachable status on item loop
(cherry picked from commit 336b3762b23a64e355cfa3efba11ddf5bdd7f0d8)
* Add changelog entry for the no_log fix
(cherry picked from commit 5fdd101a3e4861f8bedaf4c5bd29ee1cf4d8514b)
| -rw-r--r-- | changelogs/fragments/no_log_fix_for_connection_exceptions.yaml | 9 | ||||
| -rw-r--r-- | lib/ansible/executor/task_result.py | 2 | ||||
| -rw-r--r-- | test/integration/targets/no_log/no_log_local.yml | 27 |
3 files changed, 37 insertions, 1 deletions
diff --git a/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml b/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml new file mode 100644 index 0000000000..a5be03a6ba --- /dev/null +++ b/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml @@ -0,0 +1,9 @@ +--- +bugfixes: +- '**Security Fix** - Some connection exceptions would cause no_log specified on + a task to be ignored. If this happened, the task information, including any + private information could have been displayed to stdout and (if enabled, not + the default) logged to a log file specified in ansible.cfg''s log_path. + Additionally, sites which redirected stdout from ansible runs to a log file + may have stored that private information onto disk that way as well. + (https://github.com/ansible/ansible/pull/41414)' diff --git a/lib/ansible/executor/task_result.py b/lib/ansible/executor/task_result.py index 40a492d7d8..6609e06698 100644 --- a/lib/ansible/executor/task_result.py +++ b/lib/ansible/executor/task_result.py @@ -110,7 +110,7 @@ class TaskResult: else: ignore = _IGNORE - if self._result.get('_ansible_no_log', False): + if self._task.no_log or self._result.get('_ansible_no_log', False): x = {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"} for preserve in _PRESERVE: if preserve in self._result: diff --git a/test/integration/targets/no_log/no_log_local.yml b/test/integration/targets/no_log/no_log_local.yml index bf02468f22..69a55fdb4f 100644 --- a/test/integration/targets/no_log/no_log_local.yml +++ b/test/integration/targets/no_log/no_log_local.yml @@ -63,3 +63,30 @@ - name: args should be logged when task-level no_log overrides play-level shell: echo "LOG_ME_OVERRIDE" no_log: false + + - name: Add a fake host for next play + add_host: + hostname: fake + +- name: use 'fake' unreachable host to force unreachable error + hosts: fake + gather_facts: no + connection: ssh + tasks: + - name: Fail to run a lineinfile task + vars: + logins: + - machine: foo + login: bar + password: DO_NOT_LOG_UNREACHABLE_ITEM + - machine: two + login: three + password: DO_NOT_LOG_UNREACHABLE_ITEM + lineinfile: + path: /dev/null + mode: 0600 + create: true + insertafter: EOF + line: "machine {{ item.machine }} login {{ item.login }} password {{ item.password }}" + loop: "{{ logins }}" + no_log: true |