From a3f08377b2000f8e179e361bcfef4afec18ba1e5 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Thu, 14 Jan 2021 16:04:27 +0100 Subject: [PATCH] bitbucket_pipeline_variable: Hide secured values in console log (#1635) (#1637) **SECURITY** - CVE-2021-20180 Hide user sensitive information which is marked as ``secured`` while logging in console. Signed-off-by: Abhijeet Kasurde (cherry picked from commit 1d0c5e2ba47724c31a18d7b08b9daf13df8829dc) Co-authored-by: Abhijeet Kasurde --- .../fragments/cve_bitbucket_pipeline_variable.yml | 2 ++ .../bitbucket/bitbucket_pipeline_variable.py | 12 ++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/cve_bitbucket_pipeline_variable.yml diff --git a/changelogs/fragments/cve_bitbucket_pipeline_variable.yml b/changelogs/fragments/cve_bitbucket_pipeline_variable.yml new file mode 100644 index 0000000000..1315755bb0 --- /dev/null +++ b/changelogs/fragments/cve_bitbucket_pipeline_variable.yml @@ -0,0 +1,2 @@ +security_fixes: +- 'bitbucket_pipeline_variable - **CVE-2021-20180** - hide user sensitive information which are marked as ``secured`` from logging into the console (https://github.com/ansible-collections/community.general/pull/1635).' diff --git a/plugins/modules/source_control/bitbucket/bitbucket_pipeline_variable.py b/plugins/modules/source_control/bitbucket/bitbucket_pipeline_variable.py index c4ca59a3f1..33457fcab4 100644 --- a/plugins/modules/source_control/bitbucket/bitbucket_pipeline_variable.py +++ b/plugins/modules/source_control/bitbucket/bitbucket_pipeline_variable.py @@ -85,7 +85,7 @@ EXAMPLES = r''' RETURN = r''' # ''' -from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.basic import AnsibleModule, _load_params from ansible_collections.community.general.plugins.module_utils.source_control.bitbucket import BitbucketHelper error_messages = { @@ -211,6 +211,14 @@ def delete_pipeline_variable(module, bitbucket, variable_uuid): )) +class BitBucketPipelineVariable(AnsibleModule): + def __init__(self, *args, **kwargs): + params = _load_params() or {} + if params.get('secured'): + kwargs['argument_spec']['value'].update({'no_log': True}) + super(BitBucketPipelineVariable, self).__init__(*args, **kwargs) + + def main(): argument_spec = BitbucketHelper.bitbucket_argument_spec() argument_spec.update( @@ -221,7 +229,7 @@ def main(): secured=dict(type='bool', default=False), state=dict(type='str', choices=['present', 'absent'], required=True), ) - module = AnsibleModule( + module = BitBucketPipelineVariable( argument_spec=argument_spec, supports_check_mode=True, )