pass: Strip only trailing newline characters from the secret

2025-04-17 10:10:20 +00:00 · 2022-05-27 11:14:56 +02:00 · 2022-05-27 11:14:56 +02:00 · 8270d639c7
commit 8270d639c7
parent 50975d10bd
2 changed files with 6 additions and 2 deletions
--- a/changelog/62120.fixed
+++ b/changelog/62120.fixed
@ -1 +1,2 @@
+Only trailing newlines are stripped from the fetched secret.
 Pass process arguments are handled in a secure way.
--- a/salt/renderers/pass.py
+++ b/salt/renderers/pass.py
@ -75,6 +75,9 @@ def _fetch_secret(pass_path):
    Fetch secret from pass based on pass_path. If there is
    any error, return back the original pass_path value
    """
+    # Make a backup in case we want to return the original value without stripped whitespaces
+    original_pass_path = pass_path
+
    # Remove whitespaces from the pass_path
    pass_path = pass_path.strip()

@ -88,8 +91,8 @@ def _fetch_secret(pass_path):
    # stdout instead of stderr even though its returncode was non zero.
    if proc.returncode or not pass_data:
        log.warning("Could not fetch secret: %s %s", pass_data, pass_error)
-        pass_data = pass_path
-    return pass_data.strip()
+        return original_pass_path
+    return pass_data.rstrip("\r\n")


 def _decrypt_object(obj):