reset logging to INFO (#70878) (#70881)

- due to CVE-2019-14846 - also added comments and test to avoid 'oportunistic' reversion (cherry picked from commit 1223ce656a)
2020-07-24 16:47:57 -04:00 · 2020-07-24 16:47:57 -04:00 · 9b992c0b78
commit 9b992c0b78
parent cea2544943
3 changed files with 35 additions and 1 deletions
--- a/changelogs/fragments/keep_log_at_info.yml
+++ b/changelogs/fragments/keep_log_at_info.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - reset logging level to INFO due to CVE-2019-14846.
--- a/lib/ansible/utils/display.py
+++ b/lib/ansible/utils/display.py
@ -79,7 +79,8 @@ logger = None
 if getattr(C, 'DEFAULT_LOG_PATH'):
    path = C.DEFAULT_LOG_PATH
    if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK):
-        logging.basicConfig(filename=path, level=logging.DEBUG,
+        # NOTE: level is kept at INFO to avoid security disclosures caused by certain libraries when using DEBUG
+        logging.basicConfig(filename=path, level=logging.INFO,  # DO NOT set to logging.DEBUG
                            format='%(asctime)s p=%(process)d u=%(user)s n=%(name)s | %(message)s')

        logger = logging.getLogger('ansible')
--- a/test/units/utils/display/test_logger.py
+++ b/test/units/utils/display/test_logger.py
@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+# Copyright (c) 2020 Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import logging
+import sys
+
+
+def test_logger():
+    '''
+    Avoid CVE-2019-14846 as 3rd party libs will disclose secrets when
+    logging is set to DEBUG
+    '''
+
+    # clear loaded modules to have unadultered test.
+    for loaded in list(sys.modules.keys()):
+        if 'ansible' in loaded:
+            del sys.modules[loaded]
+
+    # force logger to exist via config
+    from ansible import constants as C
+    C.DEFAULT_LOG_PATH = '/dev/null'
+
+    # initialize logger
+    from ansible.utils.display import logger
+
+    assert logger.root.level != logging.DEBUG