Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
Description
Puppet Version: 6.0.2
Puppet Server Version: 2019.0.0
OS Name/Version: Mac OS X, also confirmed on Linux by customer
The Notify{} resource will leak Sensitive data if the message is a raw value of Sensitive() type.
It looks like the Notify{} resource is mishandling the processing of the message parameter if the input is a raw Sensitive datatype (not encapsulated in double quotes).
Desired Behavior:
No Sensitive data should be output in clear text.
Actual Behavior:
For example, in the following code both message 1 and 2 leak sensitive data:
$secret = Sensitive('s3cret') |
notify { 'Sensitive message 1': |
message => $secret,
|
}
|
notify { 'Sensitive message 2': |
message => Sensitive('s3cret2'), |
}
|
notify { 'Sensitive message 3': |
message => "${secret}", |
}
|
Output:
Notice: Compiled catalog for kevin.reeuwijk-c02tp0a7g8wl in environment production in 0.03 seconds
|
Notice: s3cret
|
Notice: /Stage[main]/Main/Notify[Sensitive message 1]/message: changed [redacted] to [redacted]
|
Notice: s3cret2
|
Notice: /Stage[main]/Main/Notify[Sensitive message 2]/message: changed [redacted] to [redacted]
|
Notice: Sensitive [value redacted]
|
Notice: /Stage[main]/Main/Notify[Sensitive message 3]/message: defined 'message' as 'Sensitive [value redacted]'
|
Notice: Applied catalog in 0.02 seconds
|
There are two messages in the output that should not appear:
Â
Notice: s3cret
|
Notice: s3cret2
|
