-
Notifications
You must be signed in to change notification settings - Fork 398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] Fix missing no_log=True #475
[security] Fix missing no_log=True #475
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
recheck |
@tremble that will still fail. ansible-collections/amazon.aws#303 needs to be merged first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once the mfa token is used, it cannot be used a 2nd time.
Imho leaking mfa token is not dramatically.
LGTM
@markuman except if someone manages to use the token after it is logged to syslog (every module on startup logs its invocation including all parameters that don't have |
Also consider a case where we log/show the parameter, but then for some reason the module crashes out. Now the MFA was logged/shown but never used. It needs to be |
Agree that it's a risk and should not be logged. Difficult to exploit though. |
recheck |
I already created a backport PR for stable-2.9: ansible/ansible#73894 |
…2.9.20 Alina Buzachis (1): New AWS module mod_defaults - rds_option_group (_info) modules (#74098) Carlos Camacho (1): [stable-2.9] Fix: nmcli bridge-slave fails with error (#74125) Felix Fontein (4): Backport of ansible-collections/community.docker#103. (#73890) Backport of ansible-collections/community.aws#475. (#73894) Backport of ansible-collections/community.general#2018. (#73893) Backport of ansible-collections/community.network#223. (#73909) Jill R (1): New AWS module mod_defaults - wafv2 modules (#73975) Mark Chappell (3): Ensure unit test paths for connection and inventory plugins are based on the context (#73877) Partial backport of community.aws/471 - no_log=True for aws_secret (#73874) [backport/2.9] module_defaults: Add rds_snapshot (#74113) Matt Clay (1): [stable-2.9] Fix ansible-test coverage exporting. Matt Martz (1): [stable-2.9] Ensure task from the worker is finalized/squashed (#73881) (#73929) Rick Elrod (5): Update Ansible release version to v2.9.19.post0. [security] Add more missing no_logs (#74115) New release v2.9.20rc1 Update Ansible release version to v2.9.20rc1.post0. New release v2.9.20 Sam Doran (2): Move file needed by cs_volume test to S3 [stable-2.9] find - set proper default based on use_regex (#73961) (#73966) Xabier Napal (1): Fix wrong backup directory var name in apt module (#73840) (#74003) nitzmahone (1): add optional module_utils import support (#73832) (#73916)
…n/real-secrets [security] Fix missing no_log=True This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections@26ad349
…rets [security] Fix missing no_log=True
…rets [security] Fix missing no_log=True
Re-enable ec2_vpc_endpoint tests SUMMARY Tests were a little broken, fixed. Also tried splitting out the VPC cleanup code to reduce copy&paste. fixes: ansible-collections#475 ISSUE TYPE Bugfix Pull Request COMPONENT NAME ec2_vpc_endpoint ADDITIONAL INFORMATION Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None>
SUMMARY
Fallout from the new
no_log
sanity tests. I've checked with @tremble and these seem to be really missing.authentication_key
parameter is arguably secret (BGP Authentication Key)mfa_token
is a one-time token; attackers could intercept the log call and use the token before it is used by the module.CC @jillr @relrod
ISSUE TYPE
COMPONENT NAME
aws_direct_connect_virtual_interface
sts_assume_role
sts_session_token