salt/remove-password-from-shell-after-functional-text-mat.patch

From 8d32b4ecea655e419c75b9f6dfe14c9fd7038522 Mon Sep 17 00:00:00 2001
From: Marek Czernek <marek.czernek@suse.com>
Date: Mon, 3 Mar 2025 09:36:46 +0100
Subject: [PATCH] Remove password from shell after functional text
 matching (#705)

---
 salt/client/ssh/shell.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/salt/client/ssh/shell.py b/salt/client/ssh/shell.py
index 182e2c19e30..fcacfa6f737 100644
--- a/salt/client/ssh/shell.py
+++ b/salt/client/ssh/shell.py
@@ -386,6 +386,13 @@ class Shell:
             cmd_lst.append("/bin/sh {}".format(cmd_part))
         return cmd_lst
 
+    def _sanitize_str(self, text, sanitize_text):
+        """Remove all occurrences of sanitize_text from text"""
+        if not sanitize_text:
+            return text
+        replace_str = "*" * 6
+        return re.sub(r"\b" + re.escape(sanitize_text) + r"\b", replace_str, text)
+
     def _run_cmd(self, cmd, key_accept=False, passwd_retries=3):
         """
         Execute a shell command via VT. This is blocking and assumes that ssh
@@ -417,15 +424,11 @@ class Shell:
             while term.has_unread_data:
                 stdout, stderr = term.recv()
                 if stdout:
-                    if self.passwd:
-                        stdout = stdout.replace(self.passwd, ("*" * 6))
                     ret_stdout += stdout
                     buff = old_stdout + stdout
                 else:
                     buff = stdout
                 if stderr:
-                    if self.passwd:
-                        stderr = stderr.replace(self.passwd, ("*" * 6))
                     ret_stderr += stderr
                 if buff and RSTR_RE.search(buff):
                     # We're getting results back, don't try to send passwords
@@ -458,7 +461,7 @@ class Shell:
                         ret_stdout = (
                             "The host key needs to be accepted, to "
                             "auto accept run salt-ssh with the -i "
-                            "flag:\n{}".format(stdout)
+                            f"flag:\n{self._sanitize_str(stdout, self.passwd)}"
                         )
                         return ret_stdout, "", 254
                 elif buff and SUDO_PROMPT_RE.search(buff):
@@ -484,6 +487,8 @@ class Shell:
                     # as we just need to ensure the child process in term finished
                     # to get proper term.exitstatus instead of None
                     pass
+            ret_stdout = self._sanitize_str(ret_stdout, self.passwd)
+            ret_stderr = self._sanitize_str(ret_stderr, self.passwd)
             return ret_stdout, ret_stderr, term.exitstatus
         finally:
             term.close(terminate=True, kill=True)
-- 
2.48.1