Fix information disclosure caused by unreachable nodes
Currently we can leak secrets if we encounter unreachable nodes combined with a task using with_items and no_log. In this case the item variables are written to both the job-output.json and job-output.txt. Upstream Ansible has the same issue [1]. The text log can be fixed by defining the v2_runner_on_unreachable callback the same as v2_runner_on_failed. The json log can be fixed the same way as the upstream Ansible issue. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1588855 Change-Id: Ie5dd2a6b11e8e276da65fe470f364107f3dd07efchanges/88/574788/2
parent
896df11638
commit
ffe7278c08
@ -0,0 +1,28 @@
|
||||
- hosts: localhost
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- name: Add a fake host
|
||||
add_host:
|
||||
hostname: fake
|
||||
ansible_host: notexisting.example.notexisting
|
||||
|
||||
- hosts: fake
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- name: Run a lineinfile task
|
||||
vars:
|
||||
logins:
|
||||
- machine: foo
|
||||
login: bar
|
||||
password: my-very-secret-password-1
|
||||
- machine: two
|
||||
login: three
|
||||
password: my-very-secret-password-2
|
||||
lineinfile:
|
||||
path: /tmp/.netrc
|
||||
mode: 0600
|
||||
create: true
|
||||
insertafter: EOF
|
||||
line: "machine {{ item.machine }} login {{ item.login }} password {{ item.password }}"
|
||||
with_items: "{{ logins }}"
|
||||
no_log: true
|
||||
@ -0,0 +1,26 @@
|
||||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
post-review: true
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
success:
|
||||
gerrit:
|
||||
Verified: 1
|
||||
failure:
|
||||
gerrit:
|
||||
Verified: -1
|
||||
|
||||
- job:
|
||||
name: base
|
||||
parent: null
|
||||
|
||||
- job:
|
||||
name: no-log-unreachable
|
||||
run: playbooks/no-log-unreachable.yaml
|
||||
|
||||
- project:
|
||||
check:
|
||||
jobs:
|
||||
- no-log-unreachable
|
||||
@ -0,0 +1,6 @@
|
||||
- tenant:
|
||||
name: tenant-one
|
||||
source:
|
||||
gerrit:
|
||||
config-projects:
|
||||
- org/project
|
||||
Loading…
Reference in New Issue