External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-04 18:21:03 -03:30
Code Issues Packages Projects Releases Wiki Activity

only sanitize project update events for the scm modules

Browse Source 
these are the only modules in the project update playbook that actually
utilize the SCM URL (which is what potentially contains sensitive data)
This commit is contained in:
Ryan Petrello
2020-05-01 09:58:25 -04:00
parent 99c7f2f70d
commit bf65b40241
2 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
awx/api/serializers.py
View File

@@ -3899,15 +3899,23 @@ class ProjectUpdateEventSerializer(JobEventSerializer):
return UriCleaner.remove_sensitive(obj.stdout) return UriCleaner.remove_sensitive(obj.stdout)
def get_event_data(self, obj): def get_event_data(self, obj):
try: # the project update playbook uses the git, hg, or svn modules
return json.loads( # to clone repositories, and those modules are prone to printing
UriCleaner.remove_sensitive( # raw SCM URLs in their stdout (which *could* contain passwords)
json.dumps(obj.event_data) # attempt to detect and filter HTTP basic auth passwords in the stdout
# of these types of events
if obj.event_data.get('task_action') in ('git', 'hg', 'svn'):
try:
return json.loads(
UriCleaner.remove_sensitive(
json.dumps(obj.event_data)
)
) )
) except Exception:
except Exception: logger.exception("Failed to sanitize event_data")
logger.exception("Failed to sanitize event_data") return {}
return {} else:
return obj.event_data
class AdHocCommandEventSerializer(BaseSerializer): class AdHocCommandEventSerializer(BaseSerializer):

8
awx/main/tasks.py
View File

@@ -1232,10 +1232,12 @@ class BaseTask(object):
# this is a _little_ expensive to filter # this is a _little_ expensive to filter
# with regex, but project updates don't have many events, # with regex, but project updates don't have many events,
# so it *should* have a negligible performance impact # so it *should* have a negligible performance impact
task = event_data.get('event_data', {}).get('task_action')
try: try:
event_data_json = json.dumps(event_data) if task in ('git', 'hg', 'svn'):
event_data_json = UriCleaner.remove_sensitive(event_data_json) event_data_json = json.dumps(event_data)
event_data = json.loads(event_data_json) event_data_json = UriCleaner.remove_sensitive(event_data_json)
event_data = json.loads(event_data_json)
except json.JSONDecodeError: except json.JSONDecodeError:
pass pass