st2web icon indicating copy to clipboard operation
st2web copied to clipboard

Published 20 hours ago verified publisher icon StackStorm

passwords visible in preview

Open fdrab opened this issue 1 year ago • 3 comments

Hello,

I've found past issue (https://github.com/StackStorm/st2web/issues/411) that should have solved this, but it seems in 3.8.0 the preview leaks fields marked as secret: Screenshot 2023-07-19 173418 Do I have to configure something in the st2.conf? Or is this by design?

BR, Filip

fdrab avatar Jul 19 '23 15:07 fdrab

This sounds like a bug indeed as secrets should be masked. Thanks for the report.

If someone is interested in contributing, the fix should be done in the st2 core which provides st2web with an API response.

arm4b avatar Jul 24 '23 14:07 arm4b

Same issue while checking the past executions in the execution tab.

docbyte86 avatar Jul 27 '23 06:07 docbyte86

Same issue while checking the past executions in the execution tab.

can you post example screenshot? I see secrets properly masked in past execution outputs: Screenshot 2023-07-27 084430

If, however, you store a secret in the context and then post the whole context as output, the secret is going to be posted cleartext.

fdrab avatar Jul 27 '23 06:07 fdrab