Consider security implications of report.json

[foot]

You can get the current report by:

• hitting /api/report.json
• clicking Save raw data as JSON

The report contains sensitive data like:

• your weave cloud TOKENs
• weave net PASSWORDs
• Other tokens / passwords for other non-weave related containers you might be running

TOKENS and passwords can be exposed as the report contains:

• ENV variables for containers/hosts/processes: TOKEN=, PASSWORD=, SECRET=, WHOKNOWSWHAT=.
• complete commands for containers/procs/etc which can contain --password= and --token= etc

Possibles actions:

• [ ] Give a warning in the scope UI when clicking "save raw data as json" that you should not share this report around.
• [ ] Provide a sanitized report which strips / garbles ENV vars, command line args and maybe other things?

[rade]

We have no idea what potentially sensitive info a report may contain. After all, even a container name might be highly sensitive to some users. So the only sane option is to give a warning.

[bboreham]

Note environment variables were turned off by default in #3139