Closed jguay closed 4 days ago
@lucabelluccini Can you ping the synthetics developers related to check for sensitive data in case monitors list is (the only one) unsafe to collect and if they know which version is safe to collect these APIs from ? Thanks
Hello @jguay thank you a lot for the contribution. As discussed with @devcorpio (sorry for the direct ping - if you want to delegate this to other members of the Synthetics team please do), we would like to confirm if the APIs we're planning to add are not dumping secrets or sensitive information. Can we have a confirmation? If there's a specific minimum version to use, please let us know.
Hi @jguay @lucabelluccini,
I'm trying to find the proper person(or people) who might give a thorough answer to this.
We will add our review as soon as possible
Thanks, Alberto
Hi again!,
@awahab07 has been checking this and provided the following information (thanks Abdul!):
So the decrypted query param is on the Get One monitor endpoint /internal/synthetics/service/monitor/{monitorId} and should be set to false. This will omit sensitive/encrypted fields while returning the monitor. List of sensitive fields.
The list of non-decrypted fields are.
So generally no sensitive fields will be returned. However, there might be sensitive information contained in the non-decrypted fields, depending on how the user has configured the monitor. E.g. Playwright Options accepts a JSON but is not encrypted.
--
Hope this helps
Cheers, Alberto
Hello @jguay - I think this should be safe to merge if we tested it.
Hello @elastic/field-eng Would it be possible to review this PR and merge it? It would be useful for Synthetics.
According to engineering, those APIs will not disclose sensible info.
I think this should be safe to merge if we tested it.
Was it ever tested?
Adding following API calls from
8.12.0
(we may be able to set a lower minimum version if no sensitive data is returned) :Additionally code for this API was added and API is disabled on purpose pending review that API does not include sensitive information :
Checklist