From beb04bc2642c208447c5a936f94310528a1946b1 Mon Sep 17 00:00:00 2001 From: Matt Martz Date: Thu, 18 Jan 2024 17:17:23 -0600 Subject: [PATCH] [stable-2.14] Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565) (#82568) Origin: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1 (cherry picked from commit 6935c8e) --- changelogs/fragments/cve-2024-0690.yml | 2 ++ lib/ansible/playbook/base.py | 2 +- lib/ansible/playbook/play_context.py | 4 ---- test/integration/targets/no_log/no_log_config.yml | 13 +++++++++++++ test/integration/targets/no_log/runme.sh | 5 +++++ 5 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 changelogs/fragments/cve-2024-0690.yml create mode 100644 test/integration/targets/no_log/no_log_config.yml diff --git a/changelogs/fragments/cve-2024-0690.yml b/changelogs/fragments/cve-2024-0690.yml new file mode 100644 index 0000000..0e030d8 --- /dev/null +++ b/changelogs/fragments/cve-2024-0690.yml @@ -0,0 +1,2 @@ +security_fixes: +- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690) diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py index 5fae511..733fa83 100644 --- a/lib/ansible/playbook/base.py +++ b/lib/ansible/playbook/base.py @@ -154,7 +154,7 @@ class Base(with_metaclass(BaseMeta, object)): # flags and misc. settings _environment = FieldAttribute(isa='list', extend=True, prepend=True) - _no_log = FieldAttribute(isa='bool') + _no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG) _always_run = FieldAttribute(isa='bool') _run_once = FieldAttribute(isa='bool') _ignore_errors = FieldAttribute(isa='bool') diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py index ea8bb87..8ca03cd 100644 --- a/lib/ansible/playbook/play_context.py +++ b/lib/ansible/playbook/play_context.py @@ -432,10 +432,6 @@ class PlayContext(Base): new_info.connection_user = new_info.remote_user new_info.remote_user = pwd.getpwuid(os.getuid()).pw_name - # set no_log to default if it was not previously set - if new_info.no_log is None: - new_info.no_log = C.DEFAULT_NO_LOG - if task.always_run: display.deprecated("always_run is deprecated. Use check_mode = no instead.", version="2.4", removed=False) new_info.check_mode = False diff --git a/test/integration/targets/no_log/no_log_config.yml b/test/integration/targets/no_log/no_log_config.yml new file mode 100644 index 0000000..8a50880 --- /dev/null +++ b/test/integration/targets/no_log/no_log_config.yml @@ -0,0 +1,13 @@ +- hosts: testhost + gather_facts: false + tasks: + - debug: + no_log: true + + - debug: + no_log: false + + - debug: + + - debug: + loop: '{{ range(3) }}' diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh index e20bb08..b78dc94 100755 --- a/test/integration/targets/no_log/runme.sh +++ b/test/integration/targets/no_log/runme.sh @@ -7,3 +7,8 @@ set -eux [ "$(ansible-playbook no_log_local.yml -i ../../inventory -vvvvv "$@" | awk \ 'BEGIN { logme = 0; nolog = 0; } /LOG_ME/ { logme += 1;} /DO_NOT_LOG/ { nolog += 1;} END { printf "%d/%d", logme, nolog; }')" = "26/0" ] + +# test variations on ANSIBLE_NO_LOG +[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ] +[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ] +[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ] -- 2.33.0