only record task.args in the callback plugin if DISPLAY_ARGS_TO_STDOUT

see: https://github.com/ansible/awx/issues/1633
2026-05-08 09:57:35 -02:30 · 2018-04-02 12:16:17 -04:00
parent 47fa99d3ad
commit 5fd5c95a1d
3 changed files with 15 additions and 17 deletions
--- a/awx/lib/awx_display_callback/module.py
+++ b/awx/lib/awx_display_callback/module.py
@@ -28,6 +28,7 @@ import uuid
 from copy import copy

 # Ansible
+from ansible import constants as C
 from ansible.plugins.callback import CallbackBase
 from ansible.plugins.callback.default import CallbackModule as DefaultCallbackModule

@@ -126,16 +127,19 @@ class BaseCallbackModule(CallbackBase):
            task=(task.name or task.action),
            task_uuid=str(task._uuid),
            task_action=task.action,
+            task_args='',
        )
        try:
            task_ctx['task_path'] = task.get_path()
        except AttributeError:
            pass
-        if task.no_log:
-            task_ctx['task_args'] = "the output has been hidden due to the fact that 'no_log: true' was specified for this result"
-        else:
-            task_args = ', '.join(('%s=%s' % a for a in task.args.items()))
-            task_ctx['task_args'] = task_args
+
+        if C.DISPLAY_ARGS_TO_STDOUT:
+            if task.no_log:
+                task_ctx['task_args'] = "the output has been hidden due to the fact that 'no_log: true' was specified for this result"
+            else:
+                task_args = ', '.join(('%s=%s' % a for a in task.args.items()))
+                task_ctx['task_args'] = task_args
        if getattr(task, '_role', None):
            task_role = task._role._role_name
        else:
--- a/awx/lib/tests/test_display_callback.py
+++ b/awx/lib/tests/test_display_callback.py
@@ -186,14 +186,16 @@ def test_callback_plugin_no_log_filters(executor, cache, playbook):

@pytest.mark.parametrize('playbook', [
 {'no_log_on_ok.yml': '''
- name: args should not be logged when task-level no_log is set
+- name: args should not be logged when no_log is set at the task or module level
  connection: local
  hosts: all
  gather_facts: no
  tasks:
-    - shell: echo "SENSITIVE"
+    - shell: echo "PUBLIC"
    - shell: echo "PRIVATE"
      no_log: true
+    - uri: uri=https://example.org username="PUBLIC" password="PRIVATE"
+    - copy: content="PRIVATE" destination="/tmp/tmp_no_log"
 '''},  # noqa
 ])
 def test_callback_plugin_task_args_leak(executor, cache, playbook):
@@ -204,15 +206,13 @@ def test_callback_plugin_task_args_leak(executor, cache, playbook):

    # task 1
    assert events[2]['event'] == 'playbook_on_task_start'
-    assert 'SENSITIVE' in events[2]['event_data']['task_args']
    assert events[3]['event'] == 'runner_on_ok'
-    assert 'SENSITIVE' in events[3]['event_data']['task_args']

    # task 2 no_log=True
    assert events[4]['event'] == 'playbook_on_task_start'
-    assert events[4]['event_data']['task_args'] == "the output has been hidden due to the fact that 'no_log: true' was specified for this result"  # noqa
    assert events[5]['event'] == 'runner_on_ok'
-    assert events[5]['event_data']['task_args'] == "the output has been hidden due to the fact that 'no_log: true' was specified for this result"  # noqa
+    assert 'PUBLIC' in json.dumps(cache.items())
+    assert 'PRIVATE' not in json.dumps(cache.items())


@pytest.mark.parametrize('playbook', [