From 20d67cc562cd2695fb4e5ca7b0a58516e4ead638 Mon Sep 17 00:00:00 2001 From: Brian Coca Date: Thu, 9 Feb 2017 13:59:29 -0500 Subject: [PATCH] use regex vs list to weed out password fields - also warn as module SHOULD have no_log - make password regex exportable for testing - avoids boolean fields (cherry picked from commit 403e9d35dff54395766fcf74ed79d294728c1672) --- lib/ansible/module_utils/basic.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/ansible/module_utils/basic.py b/lib/ansible/module_utils/basic.py index da50475120a..97b92db6a00 100644 --- a/lib/ansible/module_utils/basic.py +++ b/lib/ansible/module_utils/basic.py @@ -178,6 +178,8 @@ except ImportError: except ImportError: pass +PASSWORD_MATCH = re.compile(r'^(?:.+[-_\s])?pass(?:[-_\s]?(?:word|phrase|wrd|wd)?)(?:[-_\s].+)?$', re.I) + try: from ast import literal_eval except ImportError: @@ -1627,17 +1629,19 @@ class AnsibleModule(object): # TODO: generalize a separate log function and make log_invocation use it # Sanitize possible password argument when logging. log_args = dict() - passwd_keys = ['password', 'login_password', 'url_password'] for param in self.params: canon = self.aliases.get(param, param) arg_opts = self.argument_spec.get(canon, {}) no_log = arg_opts.get('no_log', False) + arg_type = arg_opts.get('type', 'str') if self.boolean(no_log): log_args[param] = 'NOT_LOGGING_PARAMETER' - elif param in passwd_keys: + # try to capture all passwords/passphrase named fields + elif arg_type != 'bool' and PASSWORD_MATCH.search(param): log_args[param] = 'NOT_LOGGING_PASSWORD' + self.warn('Module did not set no_log for %s' % param) else: param_val = self.params[param] if not isinstance(param_val, basestring):