diff --git a/changelogs/fragments/keep_log_at_info.yml b/changelogs/fragments/keep_log_at_info.yml new file mode 100644 index 00000000000..b3d770603e7 --- /dev/null +++ b/changelogs/fragments/keep_log_at_info.yml @@ -0,0 +1,2 @@ +bugfixes: + - reset logging level to INFO due to CVE-2019-14846. diff --git a/lib/ansible/utils/display.py b/lib/ansible/utils/display.py index 425c5b1d00f..a372b691087 100644 --- a/lib/ansible/utils/display.py +++ b/lib/ansible/utils/display.py @@ -174,7 +174,8 @@ logger = None if getattr(C, 'DEFAULT_LOG_PATH'): path = C.DEFAULT_LOG_PATH if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK): - logging.basicConfig(filename=path, level=logging.DEBUG, + # NOTE: level is kept at INFO to avoid security disclosures caused by certain libraries when using DEBUG + logging.basicConfig(filename=path, level=logging.INFO, # DO NOT set to logging.DEBUG format='%(asctime)s p=%(process)d u=%(user)s n=%(name)s | %(message)s') logger = logging.getLogger('ansible') diff --git a/test/units/utils/display/test_logger.py b/test/units/utils/display/test_logger.py new file mode 100644 index 00000000000..ed69393bdf7 --- /dev/null +++ b/test/units/utils/display/test_logger.py @@ -0,0 +1,31 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2020 Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +import logging +import sys + + +def test_logger(): + ''' + Avoid CVE-2019-14846 as 3rd party libs will disclose secrets when + logging is set to DEBUG + ''' + + # clear loaded modules to have unadultered test. + for loaded in list(sys.modules.keys()): + if 'ansible' in loaded: + del sys.modules[loaded] + + # force logger to exist via config + from ansible import constants as C + C.DEFAULT_LOG_PATH = '/dev/null' + + # initialize logger + from ansible.utils.display import logger + + assert logger.root.level != logging.DEBUG