From bf65b40241d60e99e49b3109a33c26f26cd418ec Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Fri, 1 May 2020 09:58:25 -0400
Subject: [PATCH] only sanitize project update events for the scm modules

these are the only modules in the project update playbook that actually
utilize the SCM URL (which is what potentially contains sensitive data)
---
 awx/api/serializers.py | 24 ++++++++++++++++--------
 awx/main/tasks.py      |  8 +++++---
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 3960790ce7..d8152adb34 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -3899,15 +3899,23 @@ class ProjectUpdateEventSerializer(JobEventSerializer):
         return UriCleaner.remove_sensitive(obj.stdout)
 
     def get_event_data(self, obj):
-        try:
-            return json.loads(
-                UriCleaner.remove_sensitive(
-                    json.dumps(obj.event_data)
+        # the project update playbook uses the git, hg, or svn modules
+        # to clone repositories, and those modules are prone to printing
+        # raw SCM URLs in their stdout (which *could* contain passwords)
+        # attempt to detect and filter HTTP basic auth passwords in the stdout
+        # of these types of events
+        if obj.event_data.get('task_action') in ('git', 'hg', 'svn'):
+            try:
+                return json.loads(
+                    UriCleaner.remove_sensitive(
+                        json.dumps(obj.event_data)
+                    )
                 )
-            )
-        except Exception:
-            logger.exception("Failed to sanitize event_data")
-            return {}
+            except Exception:
+                logger.exception("Failed to sanitize event_data")
+                return {}
+        else:
+            return obj.event_data
 
 
 class AdHocCommandEventSerializer(BaseSerializer):
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index e8a5bf5a57..26e73f4d6e 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -1232,10 +1232,12 @@ class BaseTask(object):
             # this is a _little_ expensive to filter
             # with regex, but project updates don't have many events,
             # so it *should* have a negligible performance impact
+            task = event_data.get('event_data', {}).get('task_action')
             try:
-                event_data_json = json.dumps(event_data)
-                event_data_json = UriCleaner.remove_sensitive(event_data_json)
-                event_data = json.loads(event_data_json)
+                if task in ('git', 'hg', 'svn'):
+                    event_data_json = json.dumps(event_data)
+                    event_data_json = UriCleaner.remove_sensitive(event_data_json)
+                    event_data = json.loads(event_data_json)
             except json.JSONDecodeError:
                 pass