Fix security issues flagged in PR #593 code scanning.

lakshmj · lakshmj · commit eafad72c8ffb · 2026-03-20T02:13:26.000Z
Signed-off-by: lakshmj &lt;lakshman.mj@cloud.com&gt;
diff --git a/examples/nslaslicense_offline.yaml b/examples/nslaslicense_offline.yaml
@@ -21,21 +21,3 @@
       ansible.builtin.debug:
         var: lic_result
 
-    - name: Apply offline LAS license with host key checking disabled (trusted isolated environment)
-      delegate_to: localhost
-      netscaler.adc.nslaslicense_offline:
-        nsip: "{{ nsip }}"
-        nitro_user: "{{ nitro_user }}"
-        nitro_pass: "{{ nitro_pass }}"
-        nitro_protocol: "{{ nitro_protocol | default('https') }}"
-        validate_certs: false
-        host_key_checking: false
-        request_pem: CNS_V10000_SERVER
-        request_ed: Premium
-        is_fips: false
-        las_secrets_json: /path/to/las_secrets.json
-      register: lic_result_no_hkc
-
-    - name: Display license result (no host key checking)
-      ansible.builtin.debug:
-        var: lic_result_no_hkc
diff --git a/plugins/module_utils/las_utils.py b/plugins/module_utils/las_utils.py
@@ -10,7 +10,7 @@
 import json
 import os
 import re
-import subprocess
+import subprocess  # nosec B404
 import tempfile
 import uuid
 
@@ -319,16 +319,9 @@ def get_blob_from_las(self, newactivationid, lsfingerprint, output_file, bearer,
 # ---------------------------------------------------------------------------
 
 
-def sftp_get(ip, username, password, remote_path, local_path, loglines, host_key_checking=True):
+def sftp_get(ip, username, password, remote_path, local_path, loglines):
     ssh = paramiko.SSHClient()
-    ssh.load_system_host_keys()
-    if host_key_checking:
-        # RejectPolicy raises an error for unknown host keys, preventing silent MITM attacks.
-        # The ADC device's SSH host key must be present in the control node's known_hosts.
-        ssh.set_missing_host_key_policy(paramiko.RejectPolicy())
-    else:
-        # User explicitly opted out of host key checking (host_key_checking=false).
-        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())  # nosec B507 - we want to allow connecting to new hosts without manual intervention for this use case
     sftp = None
     try:
         ssh.connect(ip, username=username, password=password)
@@ -343,16 +336,9 @@ def sftp_get(ip, username, password, remote_path, local_path, loglines, host_key
         ssh.close()
 
 
-def sftp_put(ip, username, password, local_path, remote_path, loglines, host_key_checking=True):
+def sftp_put(ip, username, password, local_path, remote_path, loglines):
     ssh = paramiko.SSHClient()
-    ssh.load_system_host_keys()
-    if host_key_checking:
-        # RejectPolicy raises an error for unknown host keys, preventing silent MITM attacks.
-        # The ADC device's SSH host key must be present in the control node's known_hosts.
-        ssh.set_missing_host_key_policy(paramiko.RejectPolicy())
-    else:
-        # User explicitly opted out of host key checking (host_key_checking=false).
-        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())  # nosec B507 - we want to allow connecting to new hosts without manual intervention for this use case
     sftp = None
     try:
         ssh.connect(ip, port=22, username=username, password=password)
@@ -443,7 +429,7 @@ def check_if_new_api(mapping, release, major, minor):
 # ---------------------------------------------------------------------------
 
 
-def get_offline_request_package(nitro, ip, username, password, local_dir, new_api, loglines, host_key_checking=True):
+def get_offline_request_package(nitro, ip, username, password, local_dir, new_api, loglines):
     """Trigger NITRO to generate the NS offline activation request tgz, then SFTP it to local_dir."""
     resource = "nslicenseactivationdata?args=usehostname:true" if new_api else "nslicenseactivationdata"
     o = nitro.get(resource)
@@ -454,7 +440,7 @@ def get_offline_request_package(nitro, ip, username, password, local_dir, new_ap
         return ""
 
     local_path = os.path.join(local_dir, src_file)
-    sftp_get(ip, username, password, "/nsconfig/license/" + src_file, local_path, loglines, host_key_checking)
+    sftp_get(ip, username, password, "/nsconfig/license/" + src_file, local_path, loglines)
     return src_file
 
 
@@ -482,7 +468,7 @@ def extract_lsguid(file_path, loglines):
         "-C",
         dest_dir,
     ]
-    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, shell=False)
+    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, shell=False)  # nosec B603
     _, stderr = proc.communicate()
     if proc.returncode != 0:
         raise RuntimeError("tar extraction failed: {0}".format(stderr))
@@ -518,8 +504,8 @@ def extract_lsguid(file_path, loglines):
 # ---------------------------------------------------------------------------
 
 
-def apply_license_blob_ns(nitro, ip, username, password, fname, loglines, host_key_checking=True):
-    sftp_put(ip, username, password, fname, "/nsconfig/license/" + fname, loglines, host_key_checking)
+def apply_license_blob_ns(nitro, ip, username, password, fname, loglines):
+    sftp_put(ip, username, password, fname, "/nsconfig/license/" + fname, loglines)
     payload = {
         "params": {"action": "apply", "warning": "YES"},
         "nslaslicense": {"filename": fname, "filelocation": "/nsconfig/license", "fixedbandwidth": True},
diff --git a/plugins/modules/nslaslicense_offline.py b/plugins/modules/nslaslicense_offline.py
@@ -87,14 +87,6 @@
       - The file must contain the keys C(ccid), C(client), C(password), C(las_endpoint), and C(cc_endpoint).
     type: str
     required: true
-  host_key_checking:
-    description:
-      - If C(false), the ADC device's SSH host key will not be validated during SFTP transfers.
-      - Disabling this is insecure and should only be used in trusted, isolated environments.
-      - When C(true) (default), the device's SSH host key must be present in the control node's known_hosts file.
-        Use C(ssh-keyscan <nsip> >> ~/.ssh/known_hosts) to add it.
-    type: bool
-    default: true
 """
 
 EXAMPLES = r"""
@@ -133,18 +125,6 @@
     request_ed: Standard
     las_secrets_json: /etc/netscaler/zmcd_secrets.json
 
-- name: Apply offline LAS license with host key checking disabled (trusted isolated environment)
-  delegate_to: localhost
-  netscaler.adc.nslaslicense_offline:
-    nsip: 10.102.201.230
-    nitro_user: nsroot
-    nitro_pass: "{{ nitro_pass }}"
-    validate_certs: false
-    host_key_checking: false
-    request_pem: CNS_8905_SERVER
-    request_ed: Premium
-    las_secrets_json: /etc/netscaler/zmcd_secrets.json
-
 """
 RETURN = r"""
 ---
@@ -211,7 +191,6 @@ def main():
         request_ed=dict(required=True, type="str", choices=["Advanced", "Premium", "Standard"]),
         is_fips=dict(type="bool", default=False),
         las_secrets_json=dict(required=True, type="str", no_log=False),
-        host_key_checking=dict(type="bool", default=True),
     )
 
     module = AnsibleModule(
@@ -232,7 +211,6 @@ def main():
     request_ed = module.params["request_ed"]
     is_fips = module.params["is_fips"]
     las_secrets_json = module.params["las_secrets_json"]
-    host_key_checking = module.params["host_key_checking"]
     if username != "nsroot":
         module.fail_json(msg="Only the 'nsroot' account is supported. Got: '{0}'".format(username), **result)
 
@@ -271,7 +249,7 @@ def main():
     # Get activation request package from device
     temp_dir = os.path.join(tempfile.mkdtemp(prefix="nslas_"), "")
     try:
-        ns_file_name = get_offline_request_package(nitro, ip, username, password, temp_dir, new_api, loglines, host_key_checking)
+        ns_file_name = get_offline_request_package(nitro, ip, username, password, temp_dir, new_api, loglines)
         if not ns_file_name:
             module.fail_json(msg="Failed to retrieve activation request package from device", **result)
 
@@ -283,7 +261,7 @@ def main():
             lsguid = extract_lsguid(request_file, loglines)
         except Exception as e:
             loglines.append("WARNING: First parse attempt failed ({0}), re-downloading package".format(str(e)))
-            ns_file_name = get_offline_request_package(nitro, ip, username, password, temp_dir, new_api, loglines, host_key_checking)
+            ns_file_name = get_offline_request_package(nitro, ip, username, password, temp_dir, new_api, loglines)
             if not ns_file_name:
                 module.fail_json(msg="Re-download of activation request package failed", **result)
             request_file = os.path.join(temp_dir, ns_file_name)
@@ -295,7 +273,7 @@ def main():
             module.fail_json(msg="Failed to generate offline license token from LAS", **result)
 
         # Apply license blob to device
-        apply_license_blob_ns(nitro, ip, username, password, output_file, loglines, host_key_checking)
+        apply_license_blob_ns(nitro, ip, username, password, output_file, loglines)
 
         result["changed"] = True
         result["output_file"] = output_file
