passwords visible in preview

StackStorm / st2web

StackStorm Web UI

http://www.stackstorm.com/features

Apache License 2.0

102 stars 83 forks source link

passwords visible in preview #1005

Open fdrab opened 1 year ago

fdrab commented 1 year ago

Hello,

I've found past issue (https://github.com/StackStorm/st2web/issues/411) that should have solved this, but it seems in 3.8.0 the preview leaks fields marked as secret: Screenshot 2023-07-19 173418 Do I have to configure something in the st2.conf? Or is this by design?

BR, Filip

arm4b commented 1 year ago

This sounds like a bug indeed as secrets should be masked. Thanks for the report.

If someone is interested in contributing, the fix should be done in the st2 core which provides st2web with an API response.

docbyte86 commented 1 year ago

Same issue while checking the past executions in the execution tab.

fdrab commented 1 year ago

Same issue while checking the past executions in the execution tab.

can you post example screenshot? I see secrets properly masked in past execution outputs: Screenshot 2023-07-27 084430

If, however, you store a secret in the context and then post the whole context as output, the secret is going to be posted cleartext.