From 4005cf927ef80513bf4fd2d6d7814d4b929009fc Mon Sep 17 00:00:00 2001 From: Chris Meyers Date: Fri, 3 Mar 2017 14:03:42 -0500 Subject: [PATCH] copy existing env before making a safe env * We should not modify the original env because it's what is going to be passed to the Ansible process. This will contain all of the passwords, unobscured. The safe env is what will get saved into the model. --- awx/main/tasks.py | 9 +++++---- awx/main/tests/unit/test_tasks.py | 6 ++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/awx/main/tasks.py b/awx/main/tasks.py index a48b7a3b19..6a448a1b7b 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -478,16 +478,17 @@ class BaseTask(Task): ''' hidden_re = re.compile(r'API|TOKEN|KEY|SECRET|PASS', re.I) urlpass_re = re.compile(r'^.*?://[^:]+:(.*?)@.*?$') - for k,v in env.items(): + safe_env = dict(env) + for k,v in safe_env.items(): if k in ('REST_API_URL', 'AWS_ACCESS_KEY', 'AWS_ACCESS_KEY_ID'): continue elif k.startswith('ANSIBLE_') and not k.startswith('ANSIBLE_NET'): continue elif hidden_re.search(k): - env[k] = HIDDEN_PASSWORD + safe_env[k] = HIDDEN_PASSWORD elif type(v) == str and urlpass_re.match(v): - env[k] = urlpass_re.sub(HIDDEN_PASSWORD, v) - return env + safe_env[k] = urlpass_re.sub(HIDDEN_PASSWORD, v) + return safe_env def args2cmdline(self, *args): return ' '.join([pipes.quote(a) for a in args]) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 387506ce4c..16b9bc6b14 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -84,6 +84,12 @@ def test_safe_env_filtering(key, value): assert task.build_safe_env({key: value})[key] == tasks.HIDDEN_PASSWORD +def test_safe_env_returns_new_copy(): + task = tasks.RunJob() + env = {'foo': 'bar'} + assert task.build_safe_env(env) is not env + + def test_openstack_client_config_generation(mocker): update = tasks.RunInventoryUpdate() inventory_update = mocker.Mock(**{