Merge pull request #4284 from ryanpetrello/more-event-sanitization-tweaks

only sanitize project update events for the scm modules
2026-01-13 19:10:07 -03:30 · 2020-05-01 11:48:24 -04:00 · 2020-05-01 11:48:24 -04:00 · cd21dd69f5
commit cd21dd69f5
parent 99c7f2f70d bf65b40241
2 changed files with 21 additions and 11 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -3899,15 +3899,23 @@ class ProjectUpdateEventSerializer(JobEventSerializer):
        return UriCleaner.remove_sensitive(obj.stdout)

    def get_event_data(self, obj):
-        try:
-            return json.loads(
-                UriCleaner.remove_sensitive(
-                    json.dumps(obj.event_data)
+        # the project update playbook uses the git, hg, or svn modules
+        # to clone repositories, and those modules are prone to printing
+        # raw SCM URLs in their stdout (which *could* contain passwords)
+        # attempt to detect and filter HTTP basic auth passwords in the stdout
+        # of these types of events
+        if obj.event_data.get('task_action') in ('git', 'hg', 'svn'):
+            try:
+                return json.loads(
+                    UriCleaner.remove_sensitive(
+                        json.dumps(obj.event_data)
+                    )
                )
-            )
-        except Exception:
-            logger.exception("Failed to sanitize event_data")
-            return {}
+            except Exception:
+                logger.exception("Failed to sanitize event_data")
+                return {}
+        else:
+            return obj.event_data


 class AdHocCommandEventSerializer(BaseSerializer):
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -1232,10 +1232,12 @@ class BaseTask(object):
            # this is a _little_ expensive to filter
            # with regex, but project updates don't have many events,
            # so it *should* have a negligible performance impact
+            task = event_data.get('event_data', {}).get('task_action')
            try:
-                event_data_json = json.dumps(event_data)
-                event_data_json = UriCleaner.remove_sensitive(event_data_json)
-                event_data = json.loads(event_data_json)
+                if task in ('git', 'hg', 'svn'):
+                    event_data_json = json.dumps(event_data)
+                    event_data_json = UriCleaner.remove_sensitive(event_data_json)
+                    event_data = json.loads(event_data_json)
            except json.JSONDecodeError:
                pass