From 70f4f89178116ebd4627579446d1d0a1b20d7487 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Wed, 13 Jun 2018 14:45:06 -0700 Subject: [PATCH] Bkprt no log fix (#41452) * no_log even when task_result doesn't provide key - now also checks task property - added reproducer to tests for unreachable status on item loop (cherry picked from commit 336b3762b23a64e355cfa3efba11ddf5bdd7f0d8) * Add changelog entry for the no_log fix (cherry picked from commit 5fdd101a3e4861f8bedaf4c5bd29ee1cf4d8514b) * Tasks that are expected to fail need to begin with a special string (cherry picked from commit a5fd86cf6d62bb6ecb624edfc0b3775705e46f06) --- .../no_log_fix_for_connection_exceptions.yaml | 9 +++++++ lib/ansible/executor/task_result.py | 2 +- .../targets/no_log/no_log_local.yml | 27 +++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/no_log_fix_for_connection_exceptions.yaml diff --git a/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml b/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml new file mode 100644 index 0000000000..a5be03a6ba --- /dev/null +++ b/changelogs/fragments/no_log_fix_for_connection_exceptions.yaml @@ -0,0 +1,9 @@ +--- +bugfixes: +- '**Security Fix** - Some connection exceptions would cause no_log specified on + a task to be ignored. If this happened, the task information, including any + private information could have been displayed to stdout and (if enabled, not + the default) logged to a log file specified in ansible.cfg''s log_path. + Additionally, sites which redirected stdout from ansible runs to a log file + may have stored that private information onto disk that way as well. + (https://github.com/ansible/ansible/pull/41414)' diff --git a/lib/ansible/executor/task_result.py b/lib/ansible/executor/task_result.py index 40a492d7d8..6609e06698 100644 --- a/lib/ansible/executor/task_result.py +++ b/lib/ansible/executor/task_result.py @@ -110,7 +110,7 @@ class TaskResult: else: ignore = _IGNORE - if self._result.get('_ansible_no_log', False): + if self._task.no_log or self._result.get('_ansible_no_log', False): x = {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"} for preserve in _PRESERVE: if preserve in self._result: diff --git a/test/integration/targets/no_log/no_log_local.yml b/test/integration/targets/no_log/no_log_local.yml index bf02468f22..aacf7de276 100644 --- a/test/integration/targets/no_log/no_log_local.yml +++ b/test/integration/targets/no_log/no_log_local.yml @@ -63,3 +63,30 @@ - name: args should be logged when task-level no_log overrides play-level shell: echo "LOG_ME_OVERRIDE" no_log: false + + - name: Add a fake host for next play + add_host: + hostname: fake + +- name: use 'fake' unreachable host to force unreachable error + hosts: fake + gather_facts: no + connection: ssh + tasks: + - name: 'EXPECTED FAILURE: Fail to run a lineinfile task' + vars: + logins: + - machine: foo + login: bar + password: DO_NOT_LOG_UNREACHABLE_ITEM + - machine: two + login: three + password: DO_NOT_LOG_UNREACHABLE_ITEM + lineinfile: + path: /dev/null + mode: 0600 + create: true + insertafter: EOF + line: "machine {{ item.machine }} login {{ item.login }} password {{ item.password }}" + loop: "{{ logins }}" + no_log: true