Protect against very large stdout fields

* Defer loading result_stdout_text until specifically needed * Conditionally display it based on the size of the field * Provide a helpful message otherwise
2026-03-22 03:17:39 -02:30 · 2015-07-22 14:13:48 -04:00
parent 0ff280a363
commit 55da712a95
4 changed files with 42 additions and 2 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -464,7 +464,8 @@ class UnifiedJobTemplateSerializer(BaseSerializer):

 class UnifiedJobSerializer(BaseSerializer):

-    result_stdout = serializers.CharField(source='result_stdout', label='result stdout', read_only=True)
+    #result_stdout = serializers.CharField(source='result_stdout', label='result stdout', read_only=True)
+    result_stdout = serializers.SerializerMethodField('get_result_stdout')
    unified_job_template = serializers.Field(source='unified_job_template_id', label='unified job template')
    job_env = serializers.CharField(source='job_env', label='job env', read_only=True)

@@ -475,6 +476,13 @@ class UnifiedJobSerializer(BaseSerializer):
                  'job_cwd', 'job_env', 'job_explanation', 'result_stdout',
                  'result_traceback')

+
+    def get_result_stdout(self, obj):
+        obj_size = obj.result_stdout_size
+        if obj_size > settings.STDOUT_MAX_BYTES_DISPLAY:
+            return "Standard Output too large to display (%d bytes), only download supported for sizes over %d bytes" % (obj_size, settings.STDOUT_MAX_BYTES_DISPLAY)
+        return obj.result_stdout
+
    def get_types(self):
        if type(self) is UnifiedJobSerializer:
            return ['project_update', 'inventory_update', 'job', 'ad_hoc_command', 'system_job']
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -2109,11 +2109,20 @@ class JobList(ListCreateAPIView):
    model = Job
    serializer_class = JobListSerializer

+    def get_queryset(self):
+        qs = self.request.user.get_queryset(self.model).defer('result_stdout_text')
+        return qs
+
 class JobDetail(RetrieveUpdateDestroyAPIView):

    model = Job
    serializer_class = JobSerializer

+    
+    def get_queryset(self):
+        qs = super(JobDetail, self).get_queryset().defer('result_stdout_text')
+        return qs
+
    def update(self, request, *args, **kwargs):
        obj = self.get_object()
        # Only allow changes (PUT/PATCH) when job status is "new".
@@ -2783,6 +2792,11 @@ class UnifiedJobList(ListAPIView):
    model = UnifiedJob
    serializer_class = UnifiedJobListSerializer
    new_in_148 = True
+    
+    def get_queryset(self):
+        qs = self.request.user.get_queryset(self.model).defer('result_stdout_text')
+        return qs
+

 class UnifiedJobStdout(RetrieveAPIView):

@@ -2793,8 +2807,17 @@ class UnifiedJobStdout(RetrieveAPIView):
    filter_backends = ()
    new_in_148 = True

+    def get_queryset(self):
+        qs = super(UnifiedJobStdout, self).get_queryset().defer('result_stdout_text')
+        return qs    
+
    def retrieve(self, request, *args, **kwargs):
        unified_job = self.get_object()
+        obj_size = unified_job.result_stdout_size
+        if request.accepted_renderer.format != 'txt_download' and obj_size > settings.STDOUT_MAX_BYTES_DISPLAY:
+            return Response("Standard Output too large to display (%d bytes), "
+                            "only download supported for sizes over %d bytes" % (obj_size, settings.STDOUT_MAX_BYTES_DISPLAY))
+
        if request.accepted_renderer.format in ('html', 'api', 'json'):
            start_line = request.QUERY_PARAMS.get('start_line', 0)
            end_line = request.QUERY_PARAMS.get('end_line', None)