diff options
author | Ganesh Nalawade <ganesh634@gmail.com> | 2017-11-03 21:57:14 +0530 |
---|---|---|
committer | James Cammarata <jimi@sngx.net> | 2017-11-03 11:27:14 -0500 |
commit | eaa2fcc73fbda0caa402ad6233434f981baccab6 (patch) | |
tree | e5ffdcbf9491768df709a4121401aafef689e3a8 /lib/ansible/plugins/action/iosxr.py | |
parent | 4c6612eeba6fa1d90d36ad991745cdb13c4956e8 (diff) | |
download | ansible-eaa2fcc73fbda0caa402ad6233434f981baccab6.tar.gz |
Fix password leak in logs for provider argument (#32215)
* Fix password leak in logs for provider argument
Since provider argument is not validated against a spec
the `no_log` arguments are not handled leading to password
leaking to syslogs.
To fix this:
* Mask password and other `no_log` provider arguments in action plugin
* In case of eapi and nxapi as the password is used in module code,
* copy the provider password to top-level password argument which
* handles `no_log` correctly. This will, however, throw a deprecation
* warning message for password arg even if it is not given as a
* top-level argument.
* Remove auth details from provider args in action plugin
* Update CHANGELOG
Diffstat (limited to 'lib/ansible/plugins/action/iosxr.py')
-rw-r--r-- | lib/ansible/plugins/action/iosxr.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/ansible/plugins/action/iosxr.py b/lib/ansible/plugins/action/iosxr.py index 2b0f4e8e12..46091f1d14 100644 --- a/lib/ansible/plugins/action/iosxr.py +++ b/lib/ansible/plugins/action/iosxr.py @@ -60,6 +60,9 @@ class ActionModule(_ActionModule): pc.password = provider['password'] or self._play_context.password pc.timeout = provider['timeout'] or self._play_context.timeout + # remove auth from provider arguments + provider.pop('password', None) + display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr) connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin) |