Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10100

Exec resource should not leak sensitive commands when a relative path is given

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      If an exec resource's command is not executable or cannot be resolved into a fully qualified path, only print the command, but not the potentially sensitive arguments passed to the command. Also redact the output of sensitive commands when the logoutput parameter is true, or the parameter is on_failure (the default) and the command fails.
      Show
      If an exec resource's command is not executable or cannot be resolved into a fully qualified path, only print the command, but not the potentially sensitive arguments passed to the command. Also redact the output of sensitive commands when the logoutput parameter is true, or the parameter is on_failure (the default) and the command fails.
    • QA Risk Assessment:
      Needs Assessment

      Description

      From: https://tickets.puppetlabs.com/browse/PUP-6494?focusedCommentId=692157&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-692157

      exec { "echo_passphrase":
       command => Sensitive("echo \"${secretpw.unwrap}\""),
      }
      

      Error: Failed to apply catalog: Validation of Exec[populate_luksfile] failed: 'echo "supersecretpassword"' is not qualified and no path was specified. Please qualify the command or specify a path.
      

      The issue is the error message includes the entire command to execute, instead of the first component of command which wasn't an absolute path.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support