Release 1.3.4.

**SECURITY** - CVE-2021-20180

Hide user sensitive information which is marked as ``secured``
while logging in console.

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit 1d0c5e2ba4)

Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>

CHANGELOG.rst

@@ -5,6 +5,24 @@ Community General Release Notes
 .. contents:: Topics
 
 
+v1.3.4
+======
+
+Release Summary
+---------------
+
+Bugfix/security release that addresses CVE-2021-20180.
+
+Security Fixes
+--------------
+
+- bitbucket_pipeline_variable - **CVE-2021-20180** - hide user sensitive information which are marked as ``secured`` from logging into the console (https://github.com/ansible-collections/community.general/pull/1635).
+
+Bugfixes
+--------
+
+- npm - handle json decode exception while parsing command line output (https://github.com/ansible-collections/community.general/issues/1614).
+
 v1.3.3
 ======
 

changelogs/changelog.yaml

@@ -1802,3 +1802,16 @@ releases:
     - kubevirt-migration.yml
     - snmp_facts.yml
     release_date: '2021-01-13'
+  1.3.4:
+    changes:
+      bugfixes:
+      - npm - handle json decode exception while parsing command line output (https://github.com/ansible-collections/community.general/issues/1614).
+      release_summary: Bugfix/security release that addresses CVE-2021-20180.
+      security_fixes:
+      - bitbucket_pipeline_variable - **CVE-2021-20180** - hide user sensitive information
+        which are marked as ``secured`` from logging into the console (https://github.com/ansible-collections/community.general/pull/1635).
+    fragments:
+    - 1.3.4.yml
+    - 1614_npm.yml
+    - cve_bitbucket_pipeline_variable.yml
+    release_date: '2021-01-14'

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: community
 name: general
-version: 1.3.3
+version: 1.3.4
 readme: README.md
 authors:
   - Ansible (https://github.com/ansible)

plugins/modules/packaging/language/npm.py

@@ -7,39 +7,39 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 
-DOCUMENTATION = '''
+DOCUMENTATION = r'''
 ---
 module: npm
 short_description: Manage node.js packages with npm
 description:
-  - Manage node.js packages with Node Package Manager (npm)
+  - Manage node.js packages with Node Package Manager (npm).
 author: "Chris Hoffman (@chrishoffman)"
 options:
   name:
     description:
-      - The name of a node.js library to install
+      - The name of a node.js library to install.
     type: str
     required: false
   path:
     description:
-      - The base path where to install the node.js libraries
+      - The base path where to install the node.js libraries.
     type: path
     required: false
   version:
     description:
-      - The version to be installed
+      - The version to be installed.
     type: str
     required: false
   global:
     description:
-      - Install the node.js library globally
+      - Install the node.js library globally.
     required: false
     default: no
     type: bool
   executable:
     description:
       - The executable location for npm.
-      - This is useful if you are using a version manager, such as nvm
+      - This is useful if you are using a version manager, such as nvm.
     type: path
     required: false
   ignore_scripts:
@@ -55,12 +55,12 @@ options:
     default: no
   ci:
     description:
-      - Install packages based on package-lock file, same as running npm ci
+      - Install packages based on package-lock file, same as running C(npm ci).
     type: bool
     default: no
   production:
     description:
-      - Install dependencies in production mode, excluding devDependencies
+      - Install dependencies in production mode, excluding devDependencies.
     required: false
     type: bool
     default: no
@@ -71,7 +71,7 @@ options:
     type: str
   state:
     description:
-      - The state of the node.js library
+      - The state of the node.js library.
     required: false
     type: str
     default: present
@@ -80,7 +80,7 @@ requirements:
     - npm installed in bin path (recommended /usr/local/bin)
 '''
 
-EXAMPLES = '''
+EXAMPLES = r'''
 - name: Install "coffee-script" node.js package.
   community.general.npm:
     name: coffee-script
@@ -124,12 +124,12 @@ EXAMPLES = '''
     state: present
 '''
 
+import json
 import os
 import re
 
 from ansible.module_utils.basic import AnsibleModule
-
-import json
+from ansible.module_utils._text import to_native
 
 
 class Npm(object):
@@ -155,7 +155,7 @@ class Npm(object):
         else:
             self.name_version = self.name
 
-    def _exec(self, args, run_in_check_mode=False, check_rc=True):
+    def _exec(self, args, run_in_check_mode=False, check_rc=True, add_package_name=True):
         if not self.module.check_mode or (self.module.check_mode and run_in_check_mode):
             cmd = self.executable + args
 
@@ -167,7 +167,7 @@ class Npm(object):
                 cmd.append('--ignore-scripts')
             if self.unsafe_perm:
                 cmd.append('--unsafe-perm')
-            if self.name:
+            if self.name and add_package_name:
                 cmd.append(self.name_version)
             if self.registry:
                 cmd.append('--registry')
@@ -191,7 +191,11 @@ class Npm(object):
 
         installed = list()
         missing = list()
-        data = json.loads(self._exec(cmd, True, False))
+        data = {}
+        try:
+            data = json.loads(self._exec(cmd, True, False, False) or '{}')
+        except (getattr(json, 'JSONDecodeError', ValueError)) as e:
+            self.module.fail_json(msg="Failed to parse NPM output with error %s" % to_native(e))
         if 'dependencies' in data:
             for dep in data['dependencies']:
                 if 'missing' in data['dependencies'][dep] and data['dependencies'][dep]['missing']:

plugins/modules/source_control/bitbucket/bitbucket_pipeline_variable.py

@@ -85,7 +85,7 @@ EXAMPLES = r'''
 
 RETURN = r''' # '''
 
-from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.basic import AnsibleModule, _load_params
 from ansible_collections.community.general.plugins.module_utils.source_control.bitbucket import BitbucketHelper
 
 error_messages = {
@@ -211,6 +211,14 @@ def delete_pipeline_variable(module, bitbucket, variable_uuid):
         ))
 
 
+class BitBucketPipelineVariable(AnsibleModule):
+    def __init__(self, *args, **kwargs):
+        params = _load_params() or {}
+        if params.get('secured'):
+            kwargs['argument_spec']['value'].update({'no_log': True})
+        super(BitBucketPipelineVariable, self).__init__(*args, **kwargs)
+
+
 def main():
     argument_spec = BitbucketHelper.bitbucket_argument_spec()
     argument_spec.update(
@@ -221,7 +229,7 @@ def main():
         secured=dict(type='bool', default=False),
         state=dict(type='str', choices=['present', 'absent'], required=True),
     )
-    module = AnsibleModule(
+    module = BitBucketPipelineVariable(
         argument_spec=argument_spec,
         supports_check_mode=True,
     )

tests/unit/plugins/modules/packaging/language/test_npm.py

@@ -0,0 +1,70 @@
+#
+# Copyright: (c) 2021, Abhijeet Kasurde <akasurde@redhat.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible_collections.community.general.tests.unit.compat.mock import call, patch
+from ansible_collections.community.general.plugins.modules.packaging.language import npm
+from ansible_collections.community.general.tests.unit.plugins.modules.utils import (
+    AnsibleExitJson, AnsibleFailJson, ModuleTestCase, set_module_args)
+
+
+class NPMModuleTestCase(ModuleTestCase):
+    module = npm
+
+    def setUp(self):
+        super(NPMModuleTestCase, self).setUp()
+        ansible_module_path = "ansible_collections.community.general.plugins.modules.packaging.language.npm.AnsibleModule"
+        self.mock_run_command = patch('%s.run_command' % ansible_module_path)
+        self.module_main_command = self.mock_run_command.start()
+        self.mock_get_bin_path = patch('%s.get_bin_path' % ansible_module_path)
+        self.get_bin_path = self.mock_get_bin_path.start()
+        self.get_bin_path.return_value = '/testbin/npm'
+
+    def tearDown(self):
+        self.mock_run_command.stop()
+        self.mock_get_bin_path.stop()
+        super(NPMModuleTestCase, self).tearDown()
+
+    def module_main(self, exit_exc):
+        with self.assertRaises(exit_exc) as exc:
+            self.module.main()
+        return exc.exception.args[0]
+
+    def test_present(self):
+        set_module_args({
+            'name': 'coffee-script',
+            'global': 'true',
+            'state': 'present'
+        })
+        self.module_main_command.side_effect = [
+            (0, '{}', ''),
+            (0, '{}', ''),
+        ]
+
+        result = self.module_main(AnsibleExitJson)
+
+        self.assertTrue(result['changed'])
+        self.module_main_command.assert_has_calls([
+            call(['/testbin/npm', 'list', '--json', '--long', '--global'], check_rc=False, cwd=None),
+        ])
+
+    def test_absent(self):
+        set_module_args({
+            'name': 'coffee-script',
+            'global': 'true',
+            'state': 'absent'
+        })
+        self.module_main_command.side_effect = [
+            (0, '{"dependencies": {"coffee-script": {}}}', ''),
+            (0, '{}', ''),
+        ]
+
+        result = self.module_main(AnsibleExitJson)
+
+        self.assertTrue(result['changed'])
+        self.module_main_command.assert_has_calls([
+            call(['/testbin/npm', 'uninstall', '--global', 'coffee-script'], check_rc=True, cwd=None),
+        ])