Sanitize sudo success_key from stdout for raw/script modules

Fixes #5533
Closes #5605
Closes #5606
Closes #5607

1 files changed, 8 insertions, 3 deletions

diff --git a/lib/ansible/runner/action_plugins/raw.py b/lib/ansible/runner/action_plugins/raw.py
index ac6ed698d5..da0cb13a2d 100644
--- a/lib/ansible/runner/action_plugins/raw.py
+++ b/lib/ansible/runner/action_plugins/raw.py
@@ -43,6 +43,11 @@ class ActionModule(object):
                 executable = v
         module_args = r.sub("", module_args)
 
-        return ReturnData(conn=conn,
-            result=self.runner._low_level_exec_command(conn, module_args, tmp, sudoable=True, executable=executable)
-        )
+        result = self.runner._low_level_exec_command(conn, module_args, tmp, sudoable=True, executable=executable)
+        # for some modules (script, raw), the sudo success key
+        # may leak into the stdout due to the way the sudo/su
+        # command is constructed, so we filter that out here
+        if result.get('stdout','').startswith('SUDO-SUCCESS-'):
+            result['stdout'] = re.sub(r'^SUDO-SUCCESS.*(\r)?\n', '', result['stdout'])
+
+        return ReturnData(conn=conn, result=result)