Prevent ansible_failed_task from further templating (#74290) (#74308)

Fixes #74036

* Add changelog

(cherry picked from commit 664531d7d6253d5bdb182727501c08e3b5aea0c1)

4 files changed, 23 insertions, 1 deletions

diff --git a/changelogs/fragments/74036-unsafe-ansible_failed_task.yml b/changelogs/fragments/74036-unsafe-ansible_failed_task.yml
new file mode 100644
index 0000000000..5e69e4cf8a
--- /dev/null
+++ b/changelogs/fragments/74036-unsafe-ansible_failed_task.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - Prevent ``ansible_failed_task`` from further templating (https://github.com/ansible/ansible/issues/74036)
diff --git a/lib/ansible/plugins/strategy/__init__.py b/lib/ansible/plugins/strategy/__init__.py
index d8ad4ead46..46b3885c4b 100644
--- a/lib/ansible/plugins/strategy/__init__.py
+++ b/lib/ansible/plugins/strategy/__init__.py
@@ -50,6 +50,7 @@ from ansible.playbook.task_include import TaskInclude
 from ansible.plugins import loader as plugin_loader
 from ansible.template import Templar
 from ansible.utils.display import Display
+from ansible.utils.unsafe_proxy import wrap_var
 from ansible.utils.vars import combine_vars
 from ansible.vars.clean import strip_internal_keys, module_response_deepcopy
 
@@ -572,7 +573,7 @@ class StrategyBase:
                         self._variable_manager.set_nonpersistent_facts(
                             original_host.name,
                             dict(
-                                ansible_failed_task=original_task.serialize(),
+                                ansible_failed_task=wrap_var(original_task.serialize()),
                                 ansible_failed_result=task_result._result,
                             ),
                         )
diff --git a/test/integration/targets/blocks/runme.sh b/test/integration/targets/blocks/runme.sh
index 63bcd3fc3c..371937251e 100755
--- a/test/integration/targets/blocks/runme.sh
+++ b/test/integration/targets/blocks/runme.sh
@@ -103,3 +103,5 @@ rm -f role_complete_test.out
 
 # test notify inheritance
 ansible-playbook inherit_notify.yml "$@"
+
+ansible-playbook unsafe_failed_task.yml "$@"
diff --git a/test/integration/targets/blocks/unsafe_failed_task.yml b/test/integration/targets/blocks/unsafe_failed_task.yml
new file mode 100644
index 0000000000..adfa492ad9
--- /dev/null
+++ b/test/integration/targets/blocks/unsafe_failed_task.yml
@@ -0,0 +1,17 @@
+- hosts: localhost
+  gather_facts: false
+  vars:
+    - data: {}
+  tasks:
+    - block:
+        - name: template error
+          debug:
+            msg: "{{ data.value }}"
+      rescue:
+        - debug:
+            msg: "{{ ansible_failed_task.action }}"
+
+        - assert:
+            that:
+              - ansible_failed_task.name == "template error"
+              - ansible_failed_task.action == "debug"