Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10100

Exec resource should not leak sensitive commands when a relative path is given

    Details

    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      If an exec resource's command is not executable or cannot be resolved into a fully qualified path, only print the command, but not the potentially sensitive arguments passed to the command. Also redact the output of sensitive commands when the logoutput parameter is true, or the parameter is on_failure (the default) and the command fails.
      Show
      If an exec resource's command is not executable or cannot be resolved into a fully qualified path, only print the command, but not the potentially sensitive arguments passed to the command. Also redact the output of sensitive commands when the logoutput parameter is true, or the parameter is on_failure (the default) and the command fails.
    • QA Risk Assessment:
      Needs Assessment

      Description

      From: https://tickets.puppetlabs.com/browse/PUP-6494?focusedCommentId=692157&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-692157

      exec { "echo_passphrase":
       command => Sensitive("echo \"${secretpw.unwrap}\""),
      }
      

      Error: Failed to apply catalog: Validation of Exec[populate_luksfile] failed: 'echo "supersecretpassword"' is not qualified and no path was specified. Please qualify the command or specify a path.
      

      The issue is the error message includes the entire command to execute, instead of the first component of command which wasn't an absolute path.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                josh Josh Cooper
                Reporter:
                josh Josh Cooper
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support