Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10100

Exec resource should not leak sensitive commands when a relative path is given

    XMLWordPrintable

Details

    • Bug Fix
    • Hide
      If an exec resource's command is not executable or cannot be resolved into a fully qualified path, only print the command, but not the potentially sensitive arguments passed to the command. Also redact the output of sensitive commands when the logoutput parameter is true, or the parameter is on_failure (the default) and the command fails.
      Show
      If an exec resource's command is not executable or cannot be resolved into a fully qualified path, only print the command, but not the potentially sensitive arguments passed to the command. Also redact the output of sensitive commands when the logoutput parameter is true, or the parameter is on_failure (the default) and the command fails.
    • Needs Assessment

    Description

      From: https://tickets.puppetlabs.com/browse/PUP-6494?focusedCommentId=692157&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-692157

      exec { "echo_passphrase":
      		 
       command => Sensitive("echo \"${secretpw.unwrap}\""),
      		 
      }


      Error: Failed to apply catalog: Validation of Exec[populate_luksfile] failed: 'echo "supersecretpassword"' is not qualified and no path was specified. Please qualify the command or specify a path.

      The issue is the error message includes the entire command to execute, instead of the first component of command which wasn't an absolute path.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-6494 exec resources leak the command string when execution fails

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              josh Josh Cooper
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support