Skip to content
This repository has been archived by the owner on Jun 13, 2024. It is now read-only.

warn about disclosure when using certain options #51

Merged
merged 1 commit into from
Mar 11, 2020

Conversation

bcoca
Copy link
Contributor

@bcoca bcoca commented Mar 11, 2020

SUMMARY

some options push data inline into cli, this is not good when using secrets and can lead to disclosure
CVE-2020-1753

ISSUE TYPE
  • Bugfix Pull Request
  • Docs Pull Request
COMPONENT NAME

kubectl

@@ -65,6 +65,7 @@
kubectl_extra_args:
description:
- Extra arguments to pass to the kubectl command line.
- Please be aware that this passes information directly on the command line and it could expose sensitive data.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should you add the We recommend using the file based authentication options instead. here too?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guess not? Looks like this was just merged.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my bad, though I think the password/api key are the only sensitive auth bits you can pass in plain text that you need to work around with file based auth, the other kubectl options are either just paths to files or not sensitive AFAIK

@codecov

This comment has been minimized.

@geerlingguy geerlingguy requested a review from fabianvf March 11, 2020 16:45
Copy link
Collaborator

@fabianvf fabianvf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@fabianvf fabianvf merged commit afc6d9d into master Mar 11, 2020
@bcoca bcoca deleted the warn_cli_options branch March 12, 2020 19:50
@bcoca
Copy link
Contributor Author

bcoca commented Apr 3, 2020

backport ansible/ansible#68195

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants