From 8d32b4ecea655e419c75b9f6dfe14c9fd7038522 Mon Sep 17 00:00:00 2001 From: Marek Czernek Date: Mon, 3 Mar 2025 09:36:46 +0100 Subject: [PATCH] Remove password from shell after functional text matching (#705) --- salt/client/ssh/shell.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/salt/client/ssh/shell.py b/salt/client/ssh/shell.py index 182e2c19e30..fcacfa6f737 100644 --- a/salt/client/ssh/shell.py +++ b/salt/client/ssh/shell.py @@ -386,6 +386,13 @@ class Shell: cmd_lst.append("/bin/sh {}".format(cmd_part)) return cmd_lst + def _sanitize_str(self, text, sanitize_text): + """Remove all occurrences of sanitize_text from text""" + if not sanitize_text: + return text + replace_str = "*" * 6 + return re.sub(r"\b" + re.escape(sanitize_text) + r"\b", replace_str, text) + def _run_cmd(self, cmd, key_accept=False, passwd_retries=3): """ Execute a shell command via VT. This is blocking and assumes that ssh @@ -417,15 +424,11 @@ class Shell: while term.has_unread_data: stdout, stderr = term.recv() if stdout: - if self.passwd: - stdout = stdout.replace(self.passwd, ("*" * 6)) ret_stdout += stdout buff = old_stdout + stdout else: buff = stdout if stderr: - if self.passwd: - stderr = stderr.replace(self.passwd, ("*" * 6)) ret_stderr += stderr if buff and RSTR_RE.search(buff): # We're getting results back, don't try to send passwords @@ -458,7 +461,7 @@ class Shell: ret_stdout = ( "The host key needs to be accepted, to " "auto accept run salt-ssh with the -i " - "flag:\n{}".format(stdout) + f"flag:\n{self._sanitize_str(stdout, self.passwd)}" ) return ret_stdout, "", 254 elif buff and SUDO_PROMPT_RE.search(buff): @@ -484,6 +487,8 @@ class Shell: # as we just need to ensure the child process in term finished # to get proper term.exitstatus instead of None pass + ret_stdout = self._sanitize_str(ret_stdout, self.passwd) + ret_stderr = self._sanitize_str(ret_stderr, self.passwd) return ret_stdout, ret_stderr, term.exitstatus finally: term.close(terminate=True, kill=True) -- 2.48.1