Filter out messages that match the pattern username:password@host

This filtering is done in both the module invocation logging and in the regular verbose() logging output. Fixes #4087
2025-04-23 10:51:24 -07:00 · 2014-02-13 14:23:49 -06:00 · 2014-02-13 14:23:49 -06:00 · b8646991db
commit b8646991db
parent eaced05a77
3 changed files with 52 additions and 2 deletions
--- a/lib/ansible/module_utils/basic.py
+++ b/lib/ansible/module_utils/basic.py
@ -761,7 +761,13 @@ class AnsibleModule(object):
        # Sanitize possible password argument when logging.
        log_args = dict()
        passwd_keys = ['password', 'login_password']
-        
+
+        filter_re = [
+            # filter out things like user:pass@foo/whatever
+            # and http://username:pass@wherever/foo
+            re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'), 
+        ]
+
        for param in self.params:
            canon  = self.aliases.get(param, param)
            arg_opts = self.argument_spec.get(canon, {})
@ -772,7 +778,16 @@ class AnsibleModule(object):
            elif param in passwd_keys:
                log_args[param] = 'NOT_LOGGING_PASSWORD'
            else:
-                log_args[param] = self.params[param]
+                found = False
+                for filter in filter_re:
+                    m = filter.match(str(self.params[param]))
+                    if m:
+                        d = m.groupdict()
+                        log_args[param] = d['before'] + "********" + d['after']
+                        found = True
+                        break
+                if not found:
+                    log_args[param] = self.params[param]

        module = 'ansible-%s' % os.path.basename(__file__)
        msg = ''