[security] Fix missing no_log=True #475
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ansibullbot
added
bug
|
recheck |
|
@tremble that will still fail. ansible-collections/amazon.aws#303 needs to be merged first. |
markuman
approved these changes
Mar 13, 2021
|
@markuman except if someone manages to use the token after it is logged to syslog (every module on startup logs its invocation including all parameters that don't have |
|
Also consider a case where we log/show the parameter, but then for some reason the module crashes out. Now the MFA was logged/shown but never used. It needs to be |
|
Agree that it's a risk and should not be logged. Difficult to exploit though. |
|
recheck |
felixfontein
added a commit
to felixfontein/ansible
that referenced
this pull request
Mar 13, 2021
|
I already created a backport PR for stable-2.9: ansible/ansible#73894 |
ansibullbot
added
community_review
and removed
needs_revision
felixfontein
added a commit
to felixfontein/ansible
that referenced
this pull request
Mar 15, 2021
relrod
pushed a commit
to ansible/ansible
that referenced
this pull request
Apr 3, 2021
relrod
pushed a commit
to ansible/ansible
that referenced
this pull request
Apr 3, 2021
clrpackages
pushed a commit
to clearlinux-pkgs/ansible
that referenced
this pull request
Apr 15, 2021
…2.9.20
Alina Buzachis (1):
New AWS module mod_defaults - rds_option_group (_info) modules (#74098)
Carlos Camacho (1):
[stable-2.9] Fix: nmcli bridge-slave fails with error (#74125)
Felix Fontein (4):
Backport of ansible-collections/community.docker#103. (#73890)
Backport of ansible-collections/community.aws#475. (#73894)
Backport of ansible-collections/community.general#2018. (#73893)
Backport of ansible-collections/community.network#223. (#73909)
Jill R (1):
New AWS module mod_defaults - wafv2 modules (#73975)
Mark Chappell (3):
Ensure unit test paths for connection and inventory plugins are based on the context (#73877)
Partial backport of community.aws/471 - no_log=True for aws_secret (#73874)
[backport/2.9] module_defaults: Add rds_snapshot (#74113)
Matt Clay (1):
[stable-2.9] Fix ansible-test coverage exporting.
Matt Martz (1):
[stable-2.9] Ensure task from the worker is finalized/squashed (#73881) (#73929)
Rick Elrod (5):
Update Ansible release version to v2.9.19.post0.
[security] Add more missing no_logs (#74115)
New release v2.9.20rc1
Update Ansible release version to v2.9.20rc1.post0.
New release v2.9.20
Sam Doran (2):
Move file needed by cs_volume test to S3
[stable-2.9] find - set proper default based on use_regex (#73961) (#73966)
Xabier Napal (1):
Fix wrong backup directory var name in apt module (#73840) (#74003)
nitzmahone (1):
add optional module_utils import support (#73832) (#73916)
alinabuzachis
pushed a commit
to alinabuzachis/community.aws
that referenced
this pull request
Jul 16, 2021
…n/real-secrets [security] Fix missing no_log=True This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections@26ad349
alinabuzachis
pushed a commit
to alinabuzachis/community.aws
that referenced
this pull request
Jul 19, 2021
…rets [security] Fix missing no_log=True
alinabuzachis
pushed a commit
to alinabuzachis/community.aws
that referenced
this pull request
Jul 19, 2021
…rets [security] Fix missing no_log=True
abikouo
pushed a commit
to abikouo/community.aws
that referenced
this pull request
Oct 24, 2023
Re-enable ec2_vpc_endpoint tests SUMMARY Tests were a little broken, fixed. Also tried splitting out the VPC cleanup code to reduce copy&paste. fixes: ansible-collections#475 ISSUE TYPE Bugfix Pull Request COMPONENT NAME ec2_vpc_endpoint ADDITIONAL INFORMATION Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Fallout from the new
no_logsanity tests. I've checked with @tremble and these seem to be really missing.authentication_keyparameter is arguably secret (BGP Authentication Key)mfa_tokenis a one-time token; attackers could intercept the log call and use the token before it is used by the module.CC @jillr @relrod
ISSUE TYPE
COMPONENT NAME
aws_direct_connect_virtual_interface
sts_assume_role
sts_session_token