copy existing env before making a safe env

* We should not modify the original env because it's what is going to be passed to the Ansible process. This will contain all of the passwords, unobscured. The safe env is what will get saved into the model.
2026-01-14 03:10:42 -03:30 · 2017-03-03 14:03:42 -05:00 · 2017-03-03 14:03:42 -05:00 · 4005cf927e
commit 4005cf927e
parent b5cfea2ed9
2 changed files with 11 additions and 4 deletions
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -478,16 +478,17 @@ class BaseTask(Task):
        '''
        hidden_re = re.compile(r'API|TOKEN|KEY|SECRET|PASS', re.I)
        urlpass_re = re.compile(r'^.*?://[^:]+:(.*?)@.*?$')
-        for k,v in env.items():
+        safe_env = dict(env)
+        for k,v in safe_env.items():
            if k in ('REST_API_URL', 'AWS_ACCESS_KEY', 'AWS_ACCESS_KEY_ID'):
                continue
            elif k.startswith('ANSIBLE_') and not k.startswith('ANSIBLE_NET'):
                continue
            elif hidden_re.search(k):
-                env[k] = HIDDEN_PASSWORD
+                safe_env[k] = HIDDEN_PASSWORD
            elif type(v) == str and urlpass_re.match(v):
-                env[k] = urlpass_re.sub(HIDDEN_PASSWORD, v)
-        return env
+                safe_env[k] = urlpass_re.sub(HIDDEN_PASSWORD, v)
+        return safe_env

    def args2cmdline(self, *args):
        return ' '.join([pipes.quote(a) for a in args])
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@ -84,6 +84,12 @@ def test_safe_env_filtering(key, value):
    assert task.build_safe_env({key: value})[key] == tasks.HIDDEN_PASSWORD


+def test_safe_env_returns_new_copy():
+    task = tasks.RunJob()
+    env = {'foo': 'bar'}
+    assert task.build_safe_env(env) is not env
+
+
 def test_openstack_client_config_generation(mocker):
    update = tasks.RunInventoryUpdate()
    inventory_update = mocker.Mock(**{