From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001
From: Brett Holman <brett.holman@canonical.com>
Date: Wed, 3 Apr 2024 13:51:25 -0600
Subject: [PATCH] fix: Logging sensitive data

Don't log sensitive data.

Since /var/log/cloud-init.log is a priviledged file, this does not expose a
secure system (no CVE). However, we don't want to log this information so that
users can file reports without having to manually redact logs.

Standardize log messages so that redacted and non-redacted logs match.

Reference:https://github.com/canonical/cloud-init/commit/2f9812e8
---
 cloudinit/subp.py | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/cloudinit/subp.py b/cloudinit/subp.py
index 85a970f..9347f4f 100644
--- a/cloudinit/subp.py
+++ b/cloudinit/subp.py
@@ -229,21 +229,15 @@ def subp(
     if status_cb:
         command = " ".join(args) if isinstance(args, list) else args
         status_cb("Begin run command: {command}\n".format(command=command))
-    if not logstring:
-        LOG.debug(
-            "Running command %s with allowed return codes %s"
-            " (shell=%s, capture=%s)",
-            args,
-            rcs,
-            shell,
-            "combine" if combine_capture else capture,
-        )
-    else:
-        LOG.debug(
-            "Running hidden command to protect sensitive "
-            "input/output logstring: %s",
-            logstring,
-        )
+
+    LOG.debug(
+        "Running command %s with allowed return codes %s"
+        " (shell=%s, capture=%s)",
+        logstring if logstring else args,
+        rcs,
+        shell,
+        "combine" if combine_capture else capture,
+    )
 
     stdin: Union[TextIOWrapper, int]
     stdout = None
-- 
2.27.0