Secret exposed from index.bundle.js

[saranjsr]

Existing Resources

• [ ] Please search the existing issues for related problems
• [ ] Consult the product documentation : Docs
• [ ] Consult the FAQ : FAQ
• [ ] Consult the Troubleshooting Guide : Guide
• [ ] Reviewed existing training videos: Youtube

Describe the bug

Secret exposed from index.bundle.js in browser. I didn't find any information about this openstack_application_credential_secret variable in installation folder. How to fix it ?

{type:"text",name:"openstack_application_credential_id",id:"openstack_application_credential_id",placeholder:"3f6a63da76a248ec92590fd9fd5e33a2",component:Fb,validate:gb,required:!0}),t.createElement(kl,{type:"text",name:"openstack_application_credential_secret",id:"openstack_application_credential_secret",placeholder:"3f6a63da76a248ec92590fd9fd5e33a2",component:Fb,validate:gb,required:!0})):"",

To Reproduce Steps to reproduce the behavior:

use Standard install on ubuntu EC2 and hit the following url in your chrome browser.

curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.15.0.06fdc8.tar.gz
tar -xf kasm_release_1.15.0.06fdc8.tar.gz
sudo bash kasm_release/install.sh

https://domain-name/index.bundle.js?9763f2b93bc9b41d689b

Expected behavior Should not exposed any secrets.

Screenshots If applicable, add screenshots to help explain your problem.

Workspaces Version Version 1.15

Workspaces Installation Method Single Server

Client Browser (please complete the following information):

• OS: MacOS 14.6.1
• Browser: chrome
• Version 128.0.6613.138 (Official Build) (arm64)

Workspace Server Information (please provide the output of the following commands):

Linux ip-172-31-38-4 6.8.0-1015-aws #16~22.04.1-Ubuntu SMP Mon Aug 19 19:38:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

sudo docker info
Client: Docker Engine - Community
 Version:    27.2.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.5.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 9
  Running: 9
  Paused: 0
  Stopped: 0
 Images: 9
 Server Version: 27.2.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-1015-aws
 Operating System: Ubuntu 22.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.821GiB
 Name: ip-172-31-38-4
 ID: a3fd9c2e-6079-4554-8aea-7f400ec78641
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

docker ps | grep kasm
19355277dfe9   kasmweb/ubuntu-jammy-desktop:1.15.0   "/dockerstartup/kasm…"   21 minutes ago   Up 21 minutes          4901/tcp, 5901/tcp, 6901/tcp                    userkasm.loc_6de6949f
81ea02dc6e06   kasmweb/nginx:1.25.3                  "/docker-entrypoint.…"   9 days ago       Up 5 hours             80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   kasm_proxy
465fc1c07fc7   kasmweb/agent:1.15.0                  "/bin/sh -c '/usr/bi…"   9 days ago       Up 5 hours (healthy)   4444/tcp                                        kasm_agent
7ab269e3d73d   kasmweb/share:1.15.0                  "/bin/sh -c '/usr/bi…"   9 days ago       Up 5 hours (healthy)   8182/tcp                                        kasm_share
dd9eb31fac83   kasmweb/manager:1.15.0                "/bin/sh -c '/usr/bi…"   9 days ago       Up 5 hours (healthy)   8181/tcp                                        kasm_manager
a7834a33231c   redis:5-alpine                        "docker-entrypoint.s…"   9 days ago       Up 5 hours             6379/tcp                                        kasm_redis
2165c2cacb19   kasmweb/kasm-guac:1.15.0              "/dockerentrypoint.sh"   9 days ago       Up 5 hours (healthy)                                                   kasm_guac
2e429d47ddb1   kasmweb/api:1.15.0                    "/bin/sh -c '/usr/bi…"   9 days ago       Up 5 hours (healthy)   8080/tcp                                        kasm_api
d1baad7b7804   postgres:12-alpine                    "docker-entrypoint.s…"   9 days ago       Up 5 hours (healthy)   5432/tcp                                        kasm_db

Additional context Add any other context about the problem here.

[j-travis]

This is simply a reference to a form option when using the OpenStack autoscale provider: https://kasmweb.com/docs/latest/guide/compute/pools.html#id49

There is no data spill. Placeholder is simply an example value thats shown in the form to give an indication of what the value should look like