diff --git a/awx/api/serializers.py b/awx/api/serializers.py index 3960790ce7..d8152adb34 100644 --- a/awx/api/serializers.py +++ b/awx/api/serializers.py @@ -3899,15 +3899,23 @@ class ProjectUpdateEventSerializer(JobEventSerializer): return UriCleaner.remove_sensitive(obj.stdout) def get_event_data(self, obj): - try: - return json.loads( - UriCleaner.remove_sensitive( - json.dumps(obj.event_data) + # the project update playbook uses the git, hg, or svn modules + # to clone repositories, and those modules are prone to printing + # raw SCM URLs in their stdout (which *could* contain passwords) + # attempt to detect and filter HTTP basic auth passwords in the stdout + # of these types of events + if obj.event_data.get('task_action') in ('git', 'hg', 'svn'): + try: + return json.loads( + UriCleaner.remove_sensitive( + json.dumps(obj.event_data) + ) ) - ) - except Exception: - logger.exception("Failed to sanitize event_data") - return {} + except Exception: + logger.exception("Failed to sanitize event_data") + return {} + else: + return obj.event_data class AdHocCommandEventSerializer(BaseSerializer): diff --git a/awx/main/tasks.py b/awx/main/tasks.py index e8a5bf5a57..26e73f4d6e 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -1232,10 +1232,12 @@ class BaseTask(object): # this is a _little_ expensive to filter # with regex, but project updates don't have many events, # so it *should* have a negligible performance impact + task = event_data.get('event_data', {}).get('task_action') try: - event_data_json = json.dumps(event_data) - event_data_json = UriCleaner.remove_sensitive(event_data_json) - event_data = json.loads(event_data_json) + if task in ('git', 'hg', 'svn'): + event_data_json = json.dumps(event_data) + event_data_json = UriCleaner.remove_sensitive(event_data_json) + event_data = json.loads(event_data_json) except json.JSONDecodeError: pass