Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

passwords visible in preview #1005

Open
fdrab opened this issue Jul 19, 2023 · 3 comments
Open

passwords visible in preview #1005

fdrab opened this issue Jul 19, 2023 · 3 comments
Labels
bug security

Comments

@fdrab
Copy link

fdrab commented Jul 19, 2023
edited

Hello,

I've found past issue (#411) that should have solved this, but it seems in 3.8.0 the preview leaks fields marked as secret:
Screenshot 2023-07-19 173418
Do I have to configure something in the st2.conf? Or is this by design?

BR,
Filip
@arm4b
Copy link
Member

arm4b commented Jul 24, 2023

This sounds like a bug indeed as secrets should be masked. Thanks for the report.

If someone is interested in contributing, the fix should be done in the st2 core which provides st2web with an API response.

@docbyte86
Copy link

Same issue while checking the past executions in the execution tab.

@fdrab
Copy link
Author

fdrab commented Jul 27, 2023
edited

Same issue while checking the past executions in the execution tab.

can you post example screenshot? I see secrets properly masked in past execution outputs:
Screenshot 2023-07-27 084430

If, however, you store a secret in the context and then post the whole context as output, the secret is going to be posted cleartext.

@fdrab fdrab mentioned this issue Mar 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arm4b @docbyte86 @fdrab