Protect against very large stdout fields

* Defer loading result_stdout_text until specifically needed * Conditionally display it based on the size of the field * Provide a helpful message otherwise
2026-05-14 12:57:40 -02:30 · 2015-07-22 14:13:48 -04:00
parent 0ff280a363
commit 55da712a95
4 changed files with 42 additions and 2 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -2109,11 +2109,20 @@ class JobList(ListCreateAPIView):
    model = Job
    serializer_class = JobListSerializer

+    def get_queryset(self):
+        qs = self.request.user.get_queryset(self.model).defer('result_stdout_text')
+        return qs
+
 class JobDetail(RetrieveUpdateDestroyAPIView):

    model = Job
    serializer_class = JobSerializer

+    
+    def get_queryset(self):
+        qs = super(JobDetail, self).get_queryset().defer('result_stdout_text')
+        return qs
+
    def update(self, request, *args, **kwargs):
        obj = self.get_object()
        # Only allow changes (PUT/PATCH) when job status is "new".
@@ -2783,6 +2792,11 @@ class UnifiedJobList(ListAPIView):
    model = UnifiedJob
    serializer_class = UnifiedJobListSerializer
    new_in_148 = True
+    
+    def get_queryset(self):
+        qs = self.request.user.get_queryset(self.model).defer('result_stdout_text')
+        return qs
+

 class UnifiedJobStdout(RetrieveAPIView):

@@ -2793,8 +2807,17 @@ class UnifiedJobStdout(RetrieveAPIView):
    filter_backends = ()
    new_in_148 = True

+    def get_queryset(self):
+        qs = super(UnifiedJobStdout, self).get_queryset().defer('result_stdout_text')
+        return qs    
+
    def retrieve(self, request, *args, **kwargs):
        unified_job = self.get_object()
+        obj_size = unified_job.result_stdout_size
+        if request.accepted_renderer.format != 'txt_download' and obj_size > settings.STDOUT_MAX_BYTES_DISPLAY:
+            return Response("Standard Output too large to display (%d bytes), "
+                            "only download supported for sizes over %d bytes" % (obj_size, settings.STDOUT_MAX_BYTES_DISPLAY))
+
        if request.accepted_renderer.format in ('html', 'api', 'json'):
            start_line = request.QUERY_PARAMS.get('start_line', 0)
            end_line = request.QUERY_PARAMS.get('end_line', None)