External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-07 09:27:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

Harden log message output containing user input

Browse Source 
* base64 encode user inputed url when logging so that newlines or other
  malicious payloads can't be injected into the log stream
This commit is contained in:
Chris Meyers
2026-01-30 12:06:06 -05:00
committed by Chris Meyers
parent 63fafec76f
commit 37ccbc28bd
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
awx/main/notifications/webhook_backend.py
View File

@@ -1,6 +1,7 @@
# Copyright (c) 2016 Ansible, Inc. # Copyright (c) 2016 Ansible, Inc.
# All Rights Reserved. # All Rights Reserved.
import base64
import json import json
import logging import logging
import requests import requests
@@ -84,20 +85,25 @@ class WebhookBackend(AWXBaseEmailBackend, CustomNotificationBase):
if resp.status_code not in [301, 307]: if resp.status_code not in [301, 307]:
break break
# convert the url to a base64 encoded string for safe logging
url_log_safe = base64.b64encode(url.encode('UTF-8'))
# get the next URL to try
url_next = resp.headers.get("Location", None)
url_next_log_safe = base64.b64encode(url_next.encode('UTF-8')) if url_next else b'None'
# we've hit a redirect. extract the redirect URL out of the first response header and try again # we've hit a redirect. extract the redirect URL out of the first response header and try again
logger.warning( logger.warning(f"Received a {resp.status_code} from {url_log_safe}, trying to reach redirect url {url_next_log_safe}; attempt #{retries+1}")
f"Received a {resp.status_code} from {url}, trying to reach redirect url {resp.headers.get('Location', None)}; attempt #{retries+1}"
)
# take the first redirect URL in the response header and try that # take the first redirect URL in the response header and try that
url = resp.headers.get("Location", None) url = url_next
if url is None: if url is None:
err = f"Webhook notification received redirect to a blank URL from {url}. Response headers={resp.headers}" err = f"Webhook notification received redirect to a blank URL from {url_log_safe}. Response headers={resp.headers}"
break break
else: else:
# no break condition in the loop encountered; therefore we have hit the maximum number of retries # no break condition in the loop encountered; therefore we have hit the maximum number of retries
err = f"Webhook notification max number of retries [{self.MAX_RETRIES}] exceeded. Failed to send webhook notification to {url}" err = f"Webhook notification max number of retries [{self.MAX_RETRIES}] exceeded. Failed to send webhook notification to {url_log_safe}"
if resp.status_code >= 400: if resp.status_code >= 400:
err = f"Error sending webhook notification: {resp.status_code}" err = f"Error sending webhook notification: {resp.status_code}"