Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1511759

Summary: callback_plugins/validation_output.py doesn't sanitize input
Product: Red Hat OpenStack Reporter: Summer Long <slong>
Component: openstack-tripleo-validationsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: grozov
Severity: medium Docs Contact:
Priority: medium    
Version: 12.0 (Pike)CC: augol, beth.white, jjoyce, jschluet, nlevinki, rhos-maint, sclewis, slinaber, tvignaud, ukalifon
Target Milestone: betaKeywords: Security, Triaged
Target Release: 14.0 (Rocky)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-validations-9.1.1-0.20180706135914.d21e7fa.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1511757 Environment:
Last Closed: 2019-01-11 11:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1511757    
Bug Blocks: 1511758    

Description Summer Long 2017-11-10 03:37:06 UTC 
+++ This bug was initially created as a clone of Bug #1511757 +++

Description of problem:
Callback plugins should use the CallbackBase._dump_results() method for no_log to take effect (and not just use raw results).  

However, there are two lines in: 
/usr/share/openstack-tripleo-validations/validations/callback_plugins/validation_output.py
which use raw results, and which could be an issue if those results are expected to hold secrets.

def v2_runner_on_ok
        results = result._result  # A dict of the module name etc.
def v2_runner_on_failed
        result_dict = result._result  # A dict of the module name etc.

Unless results in these two lines are expected to hold secrets, this should just be a hardening bug.

Version-Release number of selected component (if applicable):
openstack-tripleo-validations-7.4.1-2.el7ost

Expected results:
Should do something like: self._dump_results(result._result)
Comment 5 grozov 2018-11-11 08:17:05 UTC 
What exactly is the fix? What am i supposed to test?
Comment 6 Ana Krivokapic 2018-11-12 09:15:26 UTC 
This is a security hardening bug (see original bug report); there are no user-visible changes to test.
Comment 7 Udi Kalifon 2018-11-15 08:12:28 UTC 
Verified the fix is in: openstack-tripleo-validations-9.3.1-0.20181008110747.4064fb7.el7ost.noarch
Comment 10 errata-xmlrpc 2019-01-11 11:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045