Skip to content

Commit

Permalink
Don't show params when there is an issue with set_option(s) (ansibl…
Browse files Browse the repository at this point in the history
  • Loading branch information
sivel authored Sep 28, 2021
1 parent 8643db5 commit 79e9dae
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 2 deletions.
5 changes: 5 additions & 0 deletions changelogs/fragments/avoid-set_options-leak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
security_fixes:
- Do not include params in exception when a call to ``set_options`` fails.
Additionally, block the exception that is returned from being displayed to stdout.
(CVE-2021-3620)
12 changes: 10 additions & 2 deletions lib/ansible/cli/scripts/ansible_connection_cli_stub.py
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,11 @@ def start(self, variables):
self.play_context.private_key_file = os.path.join(self.original_path, self.play_context.private_key_file)
self.connection = connection_loader.get(self.play_context.connection, self.play_context, '/dev/null',
task_uuid=self._task_uuid, ansible_playbook_pid=self._ansible_playbook_pid)
self.connection.set_options(var_options=variables)
try:
self.connection.set_options(var_options=variables)
except ConnectionError as exc:
messages.append(('debug', to_text(exc)))
raise ConnectionError('Unable to decode JSON from response set_options. See the debug log for more information.')

self.connection._socket_path = self.socket_path
self.srv.register(self.connection)
Expand Down Expand Up @@ -301,7 +305,11 @@ def main():
else:
messages.append(('vvvv', 'found existing local domain socket, using it!'))
conn = Connection(socket_path)
conn.set_options(var_options=variables)
try:
conn.set_options(var_options=variables)
except ConnectionError as exc:
messages.append(('debug', to_text(exc)))
raise ConnectionError('Unable to decode JSON from response set_options. See the debug log for more information.')
pc_data = to_text(init_data)
try:
conn.update_play_context(pc_data)
Expand Down
5 changes: 5 additions & 0 deletions lib/ansible/module_utils/connection.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,11 @@ def _exec_jsonrpc(self, name, *args, **kwargs):
try:
response = json.loads(out)
except ValueError:
# set_option(s) has sensitive info, and the details are unlikely to matter anyway
if name.startswith("set_option"):
raise ConnectionError(
"Unable to decode JSON from response to {0}. Received '{1}'.".format(name, out)
)
params = [repr(arg) for arg in args] + ['{0}={1!r}'.format(k, v) for k, v in iteritems(kwargs)]
params = ', '.join(params)
raise ConnectionError(
Expand Down
22 changes: 22 additions & 0 deletions test/units/module_utils/test_connection.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2021, Matt Martz <[email protected]>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

from ansible.module_utils import connection

import pytest


def test_set_options_credential_exposure():
def send(data):
return '{'

c = connection.Connection(connection.__file__)
c.send = send
with pytest.raises(connection.ConnectionError) as excinfo:
c._exec_jsonrpc('set_options', become_pass='password')

assert 'password' not in str(excinfo.value)

0 comments on commit 79e9dae

Please sign in to comment.