split PS wrapper and payload (CVE-2018-16859) (#49142)

* prevent scriptblock logging from logging payload contents
* added tests to verify no payload contents in PS Operational event log
* fix script action to send split-aware wrapper
* fix CLIXML error parser (return to -EncodedCommand exposed problems with it)

1 files changed, 25 insertions, 8 deletions

diff --git a/test/integration/targets/win_become/tasks/main.yml b/test/integration/targets/win_become/tasks/main.yml
index 0aab437471..9033e6af14 100644
--- a/test/integration/targets/win_become/tasks/main.yml
+++ b/test/integration/targets/win_become/tasks/main.yml
@@ -1,7 +1,7 @@
 - set_fact:
     become_test_username: ansible_become_test
     become_test_admin_username: ansible_become_admin
-    gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}
+    gen_pw: "{{ 'password123!' + lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}"
 
 - name: create unprivileged user
   win_user:
@@ -29,6 +29,10 @@
   - SeInteractiveLogonRight
   - SeBatchLogonRight
 
+- name: fetch current target date/time for log filtering
+  raw: '[datetime]::now | Out-String'
+  register: test_starttime
+
 - name: execute tests and ensure that test user is deleted regardless of success/failure
   block:
   - name: ensure current user is not the become user
@@ -82,7 +86,7 @@
     vars: *admin_become_vars
     win_whoami:
     register: whoami_out
-  
+
   - name: verify output
     assert:
       that:
@@ -121,7 +125,7 @@
         - whoami_out.label.account_name == 'Medium Mandatory Level'
         - whoami_out.label.sid == 'S-1-16-8192'
         - whoami_out.logon_type == 'Interactive'
-  
+
   - name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468)
     vars: *become_vars
     setup:
@@ -138,14 +142,14 @@
     - '"Failed to become user " + become_test_username not in become_invalid_pass.msg'
     - '"LogonUser failed" not in become_invalid_pass.msg'
     - '"Win32ErrorCode 1326)" not in become_invalid_pass.msg'
-    
+
   - name: test become with SYSTEM account
     win_whoami:
     become: yes
     become_method: runas
     become_user: SYSTEM
     register: whoami_out
-  
+
   - name: verify output
     assert:
       that:
@@ -162,7 +166,7 @@
     become_method: runas
     become_user: NetworkService
     register: whoami_out
-  
+
   - name: verify output
     assert:
       that:
@@ -179,7 +183,7 @@
     become_method: runas
     become_user: LocalService
     register: whoami_out
-  
+
   - name: verify output
     assert:
       that:
@@ -195,11 +199,12 @@
     win_command: whoami
     async: 10
     register: whoami_out
-  
+
   - name: verify become + async worked
     assert:
       that:
       - whoami_out is successful
+      - become_test_username in whoami_out.stdout
 
   - name: test failure with string become invalid key
     vars: *become_vars
@@ -313,6 +318,18 @@
       - nonascii_output.stdout_lines[0] == 'über den Fußgängerübergang gehen'
       - nonascii_output.stderr == ''
 
+  - name: get PS events containing password or module args created since test start
+    raw: |
+      $dt=[datetime]"{{ test_starttime.stdout|trim }}"
+      (Get-WinEvent -LogName Microsoft-Windows-Powershell/Operational |
+      ? { $_.TimeCreated -ge $dt -and $_.Message -match "{{ gen_pw }}|whoami" }).Count
+    register: ps_log_count
+
+  - name: assert no PS events contain password or module args
+    assert:
+      that:
+      - ps_log_count.stdout | int == 0
+
 # FUTURE: test raw + script become behavior once they're running under the exec wrapper again
 # FUTURE: add standalone playbook tests to include password prompting and play become keywords