Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9295

Notify resource exposes Sensitive data when message is a Sensitive data

    Details

    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Redact sensitive values when interpolated in a notify resource's message.

      note added for 6.10.1-jb
      Show
      Redact sensitive values when interpolated in a notify resource's message. note added for 6.10.1-jb
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.0.2
      Puppet Server Version: 2019.0.0
      OS Name/Version: Mac OS X, also confirmed on Linux by customer

      The Notify{} resource will leak Sensitive data if the message is a raw value of Sensitive() type.

      It looks like the Notify{} resource is mishandling the processing of the message parameter if the input is a raw Sensitive datatype (not encapsulated in double quotes).

      Desired Behavior:

      No Sensitive data should be output in clear text.

      Actual Behavior:

      For example, in the following code both message 1 and 2 leak sensitive data:

      $secret = Sensitive('s3cret')
      notify { 'Sensitive message 1':
       message => $secret,
      }
      notify { 'Sensitive message 2':
       message => Sensitive('s3cret2'),
      }
      notify { 'Sensitive message 3':
       message => "${secret}",
      }
      

      Output:

      Notice: Compiled catalog for kevin.reeuwijk-c02tp0a7g8wl in environment production in 0.03 seconds
      Notice: s3cret
      Notice: /Stage[main]/Main/Notify[Sensitive message 1]/message: changed [redacted] to [redacted]
      Notice: s3cret2
      Notice: /Stage[main]/Main/Notify[Sensitive message 2]/message: changed [redacted] to [redacted]
      Notice: Sensitive [value redacted]
      Notice: /Stage[main]/Main/Notify[Sensitive message 3]/message: defined 'message' as 'Sensitive [value redacted]'
      Notice: Applied catalog in 0.02 seconds

      There are two messages in the output that should not appear:

       

      Notice: s3cret
      Notice: s3cret2
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  josh Josh Cooper
                  Reporter:
                  kevin.reeuwijk Kevin Reeuwijk
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  11 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support