Sanitize possible password argument when logging invocation; taken from user module

81953754 · Stephen Fromm · baf07659 · 81953754
Commit 81953754 authored Jul 20, 2012 by Stephen Fromm
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletions

lib/ansible/module_common.py
+4 -1

No files found.
--- a/lib/ansible/module_common.py
+++ b/lib/ansible/module_common.py
@@ -33,6 +33,7 @@ try:
 except ImportError:
    import simplejson as json
 import os
+import re
 import shlex
 import subprocess
 import sys
@@ -118,7 +119,9 @@ class AnsibleModule(object):
    def _log_invocation(self):
        ''' log that ansible ran the module '''
        syslog.openlog('ansible-%s' % os.path.basename(__file__))
-        syslog.syslog(syslog.LOG_NOTICE, 'Invoked with %s' % self.args)
+        # Sanitize possible password argument when logging
+        log_args = re.sub(r'password=.+ (.*)', r"password=NOT_LOGGING_PASSWORD \1", self.args)
+        syslog.syslog(syslog.LOG_NOTICE, 'Invoked with %s' % log_args)

    def exit_json(self, **kwargs):
        ''' return from the module, without error '''