Mask passwords in exceptions and error messages

When a ProcessExecutionError is thrown by processutils.execute(), the exception may contain information such as password. Upstream applications that just log the message (as several appear to do) could inadvertently expose these passwords to a user with read access to the log files. It is therefore considered prudent to invoke strutils.mask_password() on the command, stdout and stderr in the exception. Cherry-pick from review.openstack.org/109417 Partial-Bug: #1343604 Change-Id: I9741dcdebdb4bed295ddc5ec4c4b117fffcfe88c
2014-08-26 18:16:40 +00:00 · 2014-08-26 18:16:40 +00:00 · 853d8f9897
parent 61d5de6985
commit 853d8f9897
1 changed files with 9 additions and 6 deletions
--- a/nova/openstack/common/processutils.py
+++ b/nova/openstack/common/processutils.py
@ -31,6 +31,7 @@ import six

 from nova.openstack.common.gettextutils import _
 from nova.openstack.common import log as logging
+from nova.openstack.common import strutils


 LOG = logging.getLogger(__name__)
@ -152,12 +153,12 @@ def execute(*cmd, **kwargs):
        cmd = shlex.split(root_helper) + list(cmd)

    cmd = map(str, cmd)
+    sanitized_cmd = strutils.mask_password(' '.join(cmd))

    while attempts > 0:
        attempts -= 1
        try:
-            LOG.log(loglevel, 'Running cmd (subprocess): %s',
-                    logging.mask_password(' '.join(cmd)))
+            LOG.log(loglevel, _('Running cmd (subprocess): %s'), sanitized_cmd)
            _PIPE = subprocess.PIPE  # pylint: disable=E1101

            if os.name == 'nt':
@ -194,16 +195,18 @@ def execute(*cmd, **kwargs):
            LOG.log(loglevel, 'Result was %s' % _returncode)
            if not ignore_exit_code and _returncode not in check_exit_code:
                (stdout, stderr) = result
+                sanitized_stdout = strutils.mask_password(stdout)
+                sanitized_stderr = strutils.mask_password(stderr)
                raise ProcessExecutionError(exit_code=_returncode,
-                                            stdout=stdout,
-                                            stderr=stderr,
-                                            cmd=' '.join(cmd))
+                                            stdout=sanitized_stdout,
+                                            stderr=sanitized_stderr,
+                                            cmd=sanitized_cmd)
            return result
        except ProcessExecutionError:
            if not attempts:
                raise
            else:
-                LOG.log(loglevel, '%r failed. Retrying.', cmd)
+                LOG.log(loglevel, _('%r failed. Retrying.'), sanitized_cmd)
                if delay_on_retry:
                    greenthread.sleep(random.randint(20, 200) / 100.0)
        finally: