From ae321536cd12f1d0b786fe4531c91b0a68a86f44 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Thu, 2 Mar 2017 14:26:24 -0500
Subject: [PATCH] fix a regex that doesn't properly strip certain environment
 variables

see: #5601
---
 awx/main/tasks.py                 |  7 +++----
 awx/main/tests/unit/test_tasks.py | 13 +++++++++++++
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index 16a772dfdc..a48b7a3b19 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -471,14 +471,13 @@ class BaseTask(Task):
             env['PROOT_TMP_DIR'] = settings.AWX_PROOT_BASE_PATH
         return env
 
-    def build_safe_env(self, instance, **kwargs):
+    def build_safe_env(self, env, **kwargs):
         '''
         Build environment dictionary, hiding potentially sensitive information
         such as passwords or keys.
         '''
         hidden_re = re.compile(r'API|TOKEN|KEY|SECRET|PASS', re.I)
-        urlpass_re = re.compile(r'^.*?://.?:(.*?)@.*?$')
-        env = self.build_env(instance, **kwargs)
+        urlpass_re = re.compile(r'^.*?://[^:]+:(.*?)@.*?$')
         for k,v in env.items():
             if k in ('REST_API_URL', 'AWS_ACCESS_KEY', 'AWS_ACCESS_KEY_ID'):
                 continue
@@ -699,7 +698,7 @@ class BaseTask(Task):
             output_replacements = self.build_output_replacements(instance, **kwargs)
             cwd = self.build_cwd(instance, **kwargs)
             env = self.build_env(instance, **kwargs)
-            safe_env = self.build_safe_env(instance, **kwargs)
+            safe_env = self.build_safe_env(env, **kwargs)
             stdout_handle = self.get_stdout_handle(instance)
             if self.should_use_proot(instance, **kwargs):
                 if not check_proot_installed():
diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py
index d8b6469f93..387506ce4c 100644
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@@ -71,6 +71,19 @@ def test_run_admin_checks_usage(mocker, current_instances, call_count):
             assert 'expire' in mock_sm.call_args_list[0][0][0]
 
 
+@pytest.mark.parametrize("key,value", [
+    ('REST_API_TOKEN', 'SECRET'),
+    ('SECRET_KEY', 'SECRET'),
+    ('RABBITMQ_PASS', 'SECRET'),
+    ('VMWARE_PASSWORD', 'SECRET'),
+    ('API_SECRET', 'SECRET'),
+    ('CALLBACK_CONNECTION', 'amqp://tower:password@localhost:5672/tower'),
+])
+def test_safe_env_filtering(key, value):
+    task = tasks.RunJob()
+    assert task.build_safe_env({key: value})[key] == tasks.HIDDEN_PASSWORD
+
+
 def test_openstack_client_config_generation(mocker):
     update = tasks.RunInventoryUpdate()
     inventory_update = mocker.Mock(**{