search

cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
46.68k stars 3.16k forks source link

Mask/Secure data in Cypress Cloud during Test Replay #29966

Open BibiJohn14 opened 1 month ago

BibiJohn14 commented 1 month ago

Current behavior

Description:

While replaying an automation run on the Cypress Cloud Dashboard, the "Save Your Password" prompt appeared, displaying my colleague's username and password. This poses a significant security risk as sensitive credentials were exposed. This issue is reproducible.

Security Impact:

Sensitive credentials are exposed to unauthorized users, which can lead to security breaches.

Actions Taken:

Informed the affected colleague to change their password immediately.

PasswordSaveIssue

Desired behavior

Secure Handling of Sensitive Data:

No Display of Sensitive Information: During the replay of any automation run, sensitive information such as usernames and passwords should never be displayed in plain text or prompts. These should be masked or hidden. Environment Variables: Any sensitive information required for the automation run should be stored and accessed securely using environment variables or encrypted storage mechanisms.

Prompt Handling:

Avoid Unnecessary Prompts: The system should avoid triggering browser prompts for saving passwords during automated tasks. This can be achieved by ensuring that automation scripts handle login credentials securely and programmatically.

Data Encryption:

Encrypt Sensitive Data: Any sensitive data, including usernames and passwords, should be encrypted both in transit and at rest. This prevents unauthorized access even if data is intercepted or accessed without permission.

User Notification and Reporting:

User Awareness: Inform users when their credentials are being used or accessed, and provide them with options to manage their security settings. Incident Reporting: Implement a mechanism for users to report any security incidents or suspicious activities promptly

Test code to reproduce

Steps to Reproduce:

  1. Open Cypress Cloud Dashboard in Chrome
  2. Navigate to a colleague's project automation run details.
  3. Replay a previously executed automation run.
  4. Observe the "Save Your Password" prompt displaying the username and password of the colleague.

Cypress package version: 13.13.2 Cypress binary version: 13.13.2 Bundled Node version: 18.17.1 Chrome Version: Version 127.0.6533.74 OS Name: Microsoft Windows 11 Pro OS Version: 10.0.22631 N/A Build 22631

Cypress Version

13.13.2

Node version

v18.20.3

Operating System

Microsoft Windows 11 Pro: 10.0.22631 N/A Build 22631

Debug Logs

No response

Other

No response

pgmanutd commented 3 weeks ago

Another issue is that anyone can see the passwords sent via POST requests. For example, during Azure login, the entire page is posted, but we can see the passwords in the request body via requests that are captured in developer tools. This is different from disabling logging.