Credentials exposed in getProjectDetails api

thoughtworks / metrik

An easy-to-use, cross-platform measurement tool that pulls data out of CD pipelines and analysis the four key metrics for you.

MIT License

354 stars 87 forks source link

Credentials exposed in getProjectDetails api #77

Open minghao-wang opened 3 years ago

minghao-wang commented 3 years ago

Describe the bug Credentials exposed in getProjectDetails api, this may lead to a security issue.

To Reproduce Steps to reproduce the behavior:

open Chrom DevTools, go to Network tab
Select one GET /api/project/XXXX
Hit Preview, there is crendential info in the pipeline list

Expected behavior Should hide crendential of the pipelines

hyrepo commented 3 years ago

Hi @minghao-wang, thanks for the feedback.

When we develop the application we tried to make it as minimal as possible, so we can deliver a usable version quickly, therefore, only data in the database was encrypted, and the responsibility of transport layer safety is leveraged to users. But now since we don't have pressure on a timeline I think we can make it better as you mentioned.