Add no_log to some module arguments (#1725)

* Add no_log to some module arguments This will prevent potentially sensitive information from being printed to the console. See: CVE-2021-20191 * Update changelogs/fragments/CVE-2021-20191_no_log.yml Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit ae8edc0)
ansible-collections · Feb 4, 2021 · 9241022 · 9241022
1 parent b7368b9
commit 9241022
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/changelogs/fragments/CVE-2021-20191_no_log.yml b/changelogs/fragments/CVE-2021-20191_no_log.yml
@@ -0,0 +1,4 @@
+security_fixes:
+  - module_utils/_netapp, na_ontap_gather_facts - enabled ``no_log`` for the options ``api_key`` and ``secret_key`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
+  - module_utils/identity/keycloak, keycloak_client, keycloak_clienttemplate, keycloak_group - enabled ``no_log`` for the option ``auth_client_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
+  - utm_proxy_auth_profile - enabled ``no_log`` for the option ``frontend_cookie_secret`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.general/pull/1725).
diff --git a/plugins/module_utils/_netapp.py b/plugins/module_utils/_netapp.py
@@ -142,8 +142,8 @@ def aws_cvs_host_argument_spec():
     return dict(
         api_url=dict(required=True, type='str'),
         validate_certs=dict(required=False, type='bool', default=True),
-        api_key=dict(required=True, type='str'),
-        secret_key=dict(required=True, type='str')
+        api_key=dict(required=True, type='str', no_log=True),
+        secret_key=dict(required=True, type='str', no_log=True)
     )
 
 

diff --git a/plugins/module_utils/identity/keycloak/keycloak.py b/plugins/module_utils/identity/keycloak/keycloak.py
@@ -58,7 +58,7 @@ def keycloak_argument_spec():
         auth_keycloak_url=dict(type='str', aliases=['url'], required=True),
         auth_client_id=dict(type='str', default='admin-cli'),
         auth_realm=dict(type='str', required=True),
-        auth_client_secret=dict(type='str', default=None),
+        auth_client_secret=dict(type='str', default=None, no_log=True),
         auth_username=dict(type='str', aliases=['username'], required=True),
         auth_password=dict(type='str', aliases=['password'], required=True, no_log=True),
         validate_certs=dict(type='bool', default=True)

diff --git a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py
@@ -336,7 +336,7 @@ def main():
             backend_user_suffix=dict(type='str', required=False, default=""),
             comment=dict(type='str', required=False, default=""),
             frontend_cookie=dict(type='str', required=False),
-            frontend_cookie_secret=dict(type='str', required=False),
+            frontend_cookie_secret=dict(type='str', required=False, no_log=True),
             frontend_form=dict(type='str', required=False),
             frontend_form_template=dict(type='str', required=False, default=""),
             frontend_login=dict(type='str', required=False),