Open azrdev opened 1 year ago
I'll do my best to describe what AWX does.
We prepare a dictionary of "prompts" here:
These are the passed in to ansible-runner
:
Which uses pexpect
to watch for these patterns and simulates a user typing:
What isn't clear to us is how your cmd: ansible-vault view vaulted.yml
is obtaining the password. That task should just hang forever since pexpect won't see the output until the task completes. Are you using vault_password_file
or some other way of getting that password into the environment?
This is a fresh install of AWX without customization, and the Project repo contains nothing but the two files. So no, I'm not doing any configuration and you should be able to reproduce the example.
@azrdev I will give it a shot, but in the future... if you think something is a security-related issue, please do not open an issue that is visible to the public. Most projects will have a security policy listed somewhere in the repo and/or in GitHub like you see below. We also opened https://github.com/ansible/awx/pull/13971 yesterday, which was in response to this issue being created.
@shanemcd thank you for thinking about it! Indeed I pondered reporting it as a security issue, but given it needs access to the playbook & module code I deemed it more a bug than a vulnerability.
Hmm, but is it really a bug? I mean, having vault-encrypted variables in inventory also does not prevent anybody to use ansible.builtin.debug to show their plaintext contant. If someone runs ansible-vault view command, and such code is commited (and hopefully reviewed) isn't it what it should actually do - render unencrypted contant of the file?
There might also be a slight risk, that someone emulates the vault prompt and gets the vault secret pasted in. But again - someone does such code review, right? I assume, if code goes to a branch that a job is running against, then it is meant to be executed and has been approved/reviewed. And therefore it works as expected from my point of view.
Please confirm the following
Bug Summary
We're looking again at jinja-controlled vault decryption (instead of relying on the yaml parser invoking decrypt):
We noticed that even though the
unvault
filter cannot use them, vault passwords are in fact exposed to processes spawned by ansible, i.e.command
andshell
modules and presumably every command called by any other module.I understand this is a different attack surface than exposing vault pw as ansible variable to python plugins, I'm still wondering if that's intentional and consistent.
AWX version
22.1.0
Select the relevant components
Installation method
kubernetes
Modifications
no
Ansible version
No response
Operating system
No response
Web browser
No response
Steps to reproduce
Put a vaulted file (
echo "foo: bar">vaulted.yml && ansible-vault encrypt vaulted.yml
) and the following playbook in a project:Run without vault credential:
Run with vault credential:
Expected results
the same as without credential
Actual results
Additional information
No response