search

DataDog / ansible-datadog

Ansible role for Datadog Agent
Apache License 2.0
294 stars 221 forks source link

Password leaks in logs for datadog_windows_ddagentuser_password #562

Open a-rhodes opened 3 months ago

a-rhodes commented 3 months ago

https://github.com/DataDog/ansible-datadog/blob/00fd7515dafbc160dcac19b58e310509163b1aa2/tasks/pkg-windows.yml#L77-L81

When ansible verbosity level of 1 or more is used (aka -v) the password is written to logs. This task should have a no_log: true on it.

Example playbook to reproduce:

- name: Debug
  hosts: all
  gather_facts: false
  vars:
    agent_win_install_args: "DDAGENTUSER_USER=FOOBAR"
    datadog_windows_ddagentuser_password: "{{ lookup('ansible.builtin.env', 'MY_SECRET_PASS') }}"
  tasks:
    # We set DD Password Arg here to prevent it from being printed in any kind of debug logs/messages prior usage
    - name: Set DD Password Arg
      set_fact:
        agent_win_install_args: "{{ agent_win_install_args }} DDAGENTUSER_PASSWORD={{ datadog_windows_ddagentuser_password }}"
      when: datadog_windows_ddagentuser_password | default('', true) | length > 0

Running the above command:

$ MY_SECRET_PASS=MySecretPassword ansible-playbook -i inventory.yaml playbook-debug.yaml -v
No config file found; using defaults

PLAY [Debug] ************************************************************************************************************************************************************************************************

TASK [Set DD Password Arg] **********************************************************************************************************************************************************************************
ok: [demo-host] => {"ansible_facts": {"agent_win_install_args": "DDAGENTUSER_USER=FOOBAR DDAGENTUSER_PASSWORD=MySecretPassword"}, "changed": false}

PLAY RECAP **************************************************************************************************************************************************************************************************
demo-host                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Adding no_log: true to the task, the result looks like:

$ MY_SECRET_PASS=MySecretPassword ansible-playbook -i inventory.yaml playbook-debug.yaml -v
No config file found; using defaults

PLAY [Debug] ************************************************************************************************************************************************************************************************

TASK [Set DD Password Arg] **********************************************************************************************************************************************************************************
ok: [demo-host] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

PLAY RECAP **************************************************************************************************************************************************************************************************
demo-host                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
wayofthepie commented 2 months ago

Same problem here it seems: https://github.com/DataDog/ansible-datadog/blob/e9e6a5c7ca72312837e3a0abbe887305e70cf0b8/tasks/main.yml#L10-L12 That leaks the api_key.