Skip to content

Commit

Permalink
[security] Add no_log to several module args (CVE-2021-20191) [2.9] (#…
Browse files Browse the repository at this point in the history
…73489)

Change:
- A number of modules were missing no_log=True where they should have
  had it.

Test Plan:
- Lots of grepping.

Tickets:
- Refs ansible-collections/community.general#1725

Signed-off-by: Rick Elrod <[email protected]>
  • Loading branch information
relrod authored Feb 5, 2021
1 parent 474044b commit d74a1b1
Show file tree
Hide file tree
Showing 39 changed files with 122 additions and 50 deletions.
57 changes: 57 additions & 0 deletions changelogs/fragments/new-nolog-entries.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
security_fixes:
- _sf_account_manager - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- _sf_account_manager - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_active_directory - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_active_directory - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_filesystems - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_filesystems - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_pool - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_pool - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_snapshots - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- aws_netapp_cvs_snapshots - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- ce_vrrp - `auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- cp_mgmt_vpn_community_meshed - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- cp_mgmt_vpn_community_star - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- docker_swarm - `signing_ca_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_backend_service - `oauth2_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_disk - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_image - `image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_image - `source_disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_instance_template - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_instance_template - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_region_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_region_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_snapshot - `snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_snapshot - `source_disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_ssl_certificate - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_compute_vpn_tunnel - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gcp_sql_instance - `client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- gitlab_runner - `registration_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- iap_start_workflow - `token_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- ibm_sa_host - `iscsi_chap_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- keycloak_client - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- keycloak_clienttemplate - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- keycloak_group - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- librato_annotation - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- na_elementsw_account - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- na_elementsw_account - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- netscaler_lb_monitor - `radkey` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- nios_nsgroup - `tsig_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- nxos_aaa_server - `global_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- nxos_pim_interface - `hello_auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- oneandone_firewall_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- oneandone_load_balancer - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- oneandone_monitoring_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- oneandone_private_network - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- oneandone_public_ip - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- ovirt - `instance_rootpw` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- pagerduty_alert - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- pagerduty_alert - `integration_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- pagerduty_alert - `service_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- pulp_repo - `feed_client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- rax_clb_ssl - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- spotinst_aws_elastigroup - `multai_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- spotinst_aws_elastigroup - `token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
- utm_proxy_auth_profile - `frontend_cookie_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
2 changes: 1 addition & 1 deletion lib/ansible/module_utils/identity/keycloak/keycloak.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ def keycloak_argument_spec():
auth_keycloak_url=dict(type='str', aliases=['url'], required=True),
auth_client_id=dict(type='str', default='admin-cli'),
auth_realm=dict(type='str', required=True),
auth_client_secret=dict(type='str', default=None),
auth_client_secret=dict(type='str', default=None, no_log=True),
auth_username=dict(type='str', aliases=['username'], required=True),
auth_password=dict(type='str', aliases=['password'], required=True, no_log=True),
validate_certs=dict(type='bool', default=True)
Expand Down
4 changes: 2 additions & 2 deletions lib/ansible/module_utils/netapp.py
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,8 @@ def aws_cvs_host_argument_spec():
return dict(
api_url=dict(required=True, type='str'),
validate_certs=dict(required=False, type='bool', default=True),
api_key=dict(required=True, type='str'),
secret_key=dict(required=True, type='str')
api_key=dict(required=True, type='str', no_log=True),
secret_key=dict(required=True, type='str', no_log=True)
)


Expand Down
2 changes: 1 addition & 1 deletion lib/ansible/modules/cloud/docker/docker_swarm.py
Original file line number Diff line number Diff line change
Expand Up @@ -622,7 +622,7 @@ def main():
name=dict(type='str'),
labels=dict(type='dict'),
signing_ca_cert=dict(type='str'),
signing_ca_key=dict(type='str'),
signing_ca_key=dict(type='str', no_log=True),
ca_force_rotate=dict(type='int'),
autolock_managers=dict(type='bool'),
node_id=dict(type='str'),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -732,7 +732,11 @@ def main():
health_checks=dict(required=True, type='list', elements='str'),
iap=dict(
type='dict',
options=dict(enabled=dict(type='bool'), oauth2_client_id=dict(required=True, type='str'), oauth2_client_secret=dict(required=True, type='str')),
options=dict(
enabled=dict(type='bool'),
oauth2_client_id=dict(required=True, type='str'),
oauth2_client_secret=dict(required=True, type='str', no_log=True),
),
),
load_balancing_scheme=dict(default='EXTERNAL', type='str'),
name=dict(required=True, type='str'),
Expand Down
6 changes: 3 additions & 3 deletions lib/ansible/modules/cloud/google/gcp_compute_disk.py
Original file line number Diff line number Diff line change
Expand Up @@ -460,10 +460,10 @@ def main():
type=dict(type='str'),
source_image=dict(type='str'),
zone=dict(required=True, type='str'),
source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
source_snapshot=dict(type='dict'),
source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
)
)

Expand Down
4 changes: 2 additions & 2 deletions lib/ansible/modules/cloud/google/gcp_compute_image.py
Original file line number Diff line number Diff line change
Expand Up @@ -461,13 +461,13 @@ def main():
disk_size_gb=dict(type='int'),
family=dict(type='str'),
guest_os_features=dict(type='list', elements='dict', options=dict(type=dict(type='str'))),
image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
labels=dict(type='dict'),
licenses=dict(type='list', elements='str'),
name=dict(required=True, type='str'),
raw_disk=dict(type='dict', options=dict(container_type=dict(type='str'), sha1_checksum=dict(type='str'), source=dict(required=True, type='str'))),
source_disk=dict(type='dict'),
source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
source_disk_id=dict(type='str'),
source_type=dict(type='str'),
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -914,7 +914,13 @@ def main():
auto_delete=dict(type='bool'),
boot=dict(type='bool'),
device_name=dict(type='str'),
disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), rsa_encrypted_key=dict(type='str'))),
disk_encryption_key=dict(
type='dict',
options=dict(
raw_key=dict(type='str', no_log=True),
rsa_encrypted_key=dict(type='str', no_log=True),
),
),
index=dict(type='int'),
initialize_params=dict(
type='dict',
Expand All @@ -923,7 +929,7 @@ def main():
disk_size_gb=dict(type='int'),
disk_type=dict(type='str'),
source_image=dict(type='str'),
source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
),
),
interface=dict(type='str'),
Expand Down
4 changes: 2 additions & 2 deletions lib/ansible/modules/cloud/google/gcp_compute_region_disk.py
Original file line number Diff line number Diff line change
Expand Up @@ -369,9 +369,9 @@ def main():
replica_zones=dict(required=True, type='list', elements='str'),
type=dict(type='str'),
region=dict(required=True, type='str'),
disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
source_snapshot=dict(type='dict'),
source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
)
)

Expand Down
4 changes: 2 additions & 2 deletions lib/ansible/modules/cloud/google/gcp_compute_snapshot.py
Original file line number Diff line number Diff line change
Expand Up @@ -291,8 +291,8 @@ def main():
labels=dict(type='dict'),
source_disk=dict(required=True, type='dict'),
zone=dict(type='str'),
snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
)
)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ def main():
certificate=dict(required=True, type='str'),
description=dict(type='str'),
name=dict(type='str'),
private_key=dict(required=True, type='str'),
private_key=dict(required=True, type='str', no_log=True),
)
)

Expand Down
2 changes: 1 addition & 1 deletion lib/ansible/modules/cloud/google/gcp_compute_vpn_tunnel.py
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ def main():
target_vpn_gateway=dict(type='dict'),
router=dict(type='dict'),
peer_ip=dict(type='str'),
shared_secret=dict(required=True, type='str'),
shared_secret=dict(required=True, type='str', no_log=True),
ike_version=dict(default=2, type='int'),
local_traffic_selector=dict(type='list', elements='str'),
remote_traffic_selector=dict(type='list', elements='str'),
Expand Down
2 changes: 1 addition & 1 deletion lib/ansible/modules/cloud/google/gcp_sql_instance.py
Original file line number Diff line number Diff line change
Expand Up @@ -688,7 +688,7 @@ def main():
options=dict(
ca_certificate=dict(type='str'),
client_certificate=dict(type='str'),
client_key=dict(type='str'),
client_key=dict(type='str', no_log=True),
connect_retry_interval=dict(type='int'),
dump_file_path=dict(type='str'),
master_heartbeat_period=dict(type='int'),
Expand Down
2 changes: 1 addition & 1 deletion lib/ansible/modules/cloud/misc/ovirt.py
Original file line number Diff line number Diff line change
Expand Up @@ -380,7 +380,7 @@ def main():
instance_gateway=dict(type='str', aliases=['gateway']),
instance_domain=dict(type='str', aliases=['domain']),
instance_dns=dict(type='str', aliases=['dns']),
instance_rootpw=dict(type='str', aliases=['rootpw']),
instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True),
instance_key=dict(type='str', aliases=['key']),
sdomain=dict(type='str'),
region=dict(type='str'),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -504,7 +504,8 @@ def main():
argument_spec=dict(
auth_token=dict(
type='str',
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
no_log=True),
api_url=dict(
type='str',
default=os.environ.get('ONEANDONE_API_URL')),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -595,7 +595,8 @@ def main():
argument_spec=dict(
auth_token=dict(
type='str',
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
no_log=True),
api_url=dict(
type='str',
default=os.environ.get('ONEANDONE_API_URL')),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -950,7 +950,8 @@ def main():
argument_spec=dict(
auth_token=dict(
type='str',
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
no_log=True),
api_url=dict(
type='str',
default=os.environ.get('ONEANDONE_API_URL')),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -384,7 +384,8 @@ def main():
argument_spec=dict(
auth_token=dict(
type='str',
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
no_log=True),
api_url=dict(
type='str',
default=os.environ.get('ONEANDONE_API_URL')),
Expand Down
3 changes: 2 additions & 1 deletion lib/ansible/modules/cloud/oneandone/oneandone_public_ip.py
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,8 @@ def main():
argument_spec=dict(
auth_token=dict(
type='str',
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
no_log=True),
api_url=dict(
type='str',
default=os.environ.get('ONEANDONE_API_URL')),
Expand Down
2 changes: 1 addition & 1 deletion lib/ansible/modules/cloud/rackspace/rax_clb_ssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ def main():
loadbalancer=dict(required=True),
state=dict(default='present', choices=['present', 'absent']),
enabled=dict(type='bool', default=True),
private_key=dict(),
private_key=dict(no_log=True),
certificate=dict(),
intermediate_certificate=dict(),
secure_port=dict(type='int', default=443),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1438,7 +1438,7 @@ def main():
min_size=dict(type='int', required=True),
monitoring=dict(type='str'),
multai_load_balancers=dict(type='list'),
multai_token=dict(type='str'),
multai_token=dict(type='str', no_log=True),
name=dict(type='str', required=True),
network_interfaces=dict(type='list'),
on_demand_count=dict(type='int'),
Expand All @@ -1462,7 +1462,7 @@ def main():
target_group_arns=dict(type='list'),
tenancy=dict(type='str'),
terminate_at_end_of_billing_hour=dict(type='bool'),
token=dict(type='str'),
token=dict(type='str', no_log=True),
unit=dict(type='str'),
user_data=dict(type='str'),
utilize_reserved_instances=dict(type='bool'),
Expand Down
2 changes: 1 addition & 1 deletion lib/ansible/modules/monitoring/librato_annotation.py
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
user=dict(required=True),
api_key=dict(required=True),
api_key=dict(required=True, no_log=True),
name=dict(required=False),
title=dict(required=True),
source=dict(required=False),
Expand Down
6 changes: 3 additions & 3 deletions lib/ansible/modules/monitoring/pagerduty_alert.py
Original file line number Diff line number Diff line change
Expand Up @@ -190,9 +190,9 @@ def main():
argument_spec=dict(
name=dict(required=False),
service_id=dict(required=True),
service_key=dict(required=False),
integration_key=dict(required=False),
api_key=dict(required=True),
service_key=dict(required=False, no_log=True),
integration_key=dict(required=False, no_log=True),
api_key=dict(required=True, no_log=True),
state=dict(required=True,
choices=['triggered', 'acknowledged', 'resolved']),
client=dict(required=False, default=None),
Expand Down
Loading

0 comments on commit d74a1b1

Please sign in to comment.