only sanitize project update events for the scm modules

these are the only modules in the project update playbook that actually utilize the SCM URL (which is what potentially contains sensitive data)
2026-01-12 10:30:03 -03:30 · 2020-05-01 09:58:25 -04:00 · 2020-05-01 09:58:25 -04:00 · bf65b40241
commit bf65b40241
parent 99c7f2f70d
2 changed files with 21 additions and 11 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -3899,15 +3899,23 @@ class ProjectUpdateEventSerializer(JobEventSerializer):
        return UriCleaner.remove_sensitive(obj.stdout)

    def get_event_data(self, obj):
-        try:
-            return json.loads(
-                UriCleaner.remove_sensitive(
-                    json.dumps(obj.event_data)
+        # the project update playbook uses the git, hg, or svn modules
+        # to clone repositories, and those modules are prone to printing
+        # raw SCM URLs in their stdout (which *could* contain passwords)
+        # attempt to detect and filter HTTP basic auth passwords in the stdout
+        # of these types of events
+        if obj.event_data.get('task_action') in ('git', 'hg', 'svn'):
+            try:
+                return json.loads(
+                    UriCleaner.remove_sensitive(
+                        json.dumps(obj.event_data)
+                    )
                )
-            )
-        except Exception:
-            logger.exception("Failed to sanitize event_data")
-            return {}
+            except Exception:
+                logger.exception("Failed to sanitize event_data")
+                return {}
+        else:
+            return obj.event_data


 class AdHocCommandEventSerializer(BaseSerializer):
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -1232,10 +1232,12 @@ class BaseTask(object):
            # this is a _little_ expensive to filter
            # with regex, but project updates don't have many events,
            # so it *should* have a negligible performance impact
+            task = event_data.get('event_data', {}).get('task_action')
            try:
-                event_data_json = json.dumps(event_data)
-                event_data_json = UriCleaner.remove_sensitive(event_data_json)
-                event_data = json.loads(event_data_json)
+                if task in ('git', 'hg', 'svn'):
+                    event_data_json = json.dumps(event_data)
+                    event_data_json = UriCleaner.remove_sensitive(event_data_json)
+                    event_data = json.loads(event_data_json)
            except json.JSONDecodeError:
                pass