Merge pull request #6305 from jangsutsr/6272_prevent_nested_encrypted_field_leak_in_activity_stream

Prevent nested encrypted field leak in activity stream
2026-03-14 23:47:28 -02:30 · 2017-05-24 09:55:29 -04:00
parent a15bc6d0f7 7f1f68ee28
commit b50820fa60
6 changed files with 119 additions and 30 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1948,9 +1948,8 @@ class CredentialSerializer(BaseSerializer):
                if field in value and force_text(value[field]).startswith('$encrypted$'):
                    value[field] = '$encrypted$'

-        for k, v in value.get('inputs', {}).items():
-            if force_text(v).startswith('$encrypted$'):
-                value['inputs'][k] = '$encrypted$'
+        if 'inputs' in value:
+            value['inputs'] = data.display_inputs()
        return value

    def get_related(self, obj):
@@ -3207,11 +3206,8 @@ class NotificationTemplateSerializer(BaseSerializer):

    def to_representation(self, obj):
        ret = super(NotificationTemplateSerializer, self).to_representation(obj)
-        for field in obj.notification_class.init_parameters:
-            config = obj.notification_configuration
-            if field in config and force_text(config[field]).startswith('$encrypted$'):
-                config[field] = '$encrypted$'
-        ret['notification_configuration'] = config
+        if 'notification_configuration' in ret:
+            ret['notification_configuration'] = obj.display_notification_configuration()
        return ret

    def get_related(self, obj):