metrik icon indicating copy to clipboard operation
metrik copied to clipboard

Published 20 hours ago verified publisher icon thoughtworks

Credentials exposed in getProjectDetails api

Open minghao-wang opened this issue 3 years ago • 1 comments

Describe the bug Credentials exposed in getProjectDetails api, this may lead to a security issue.

To Reproduce Steps to reproduce the behavior:

  1. open Chrom DevTools, go to Network tab
  2. Select one GET /api/project/XXXX
  3. Hit Preview, there is crendential info in the pipeline list

Expected behavior Should hide crendential of the pipelines

minghao-wang avatar May 27 '21 08:05 minghao-wang

Hi @minghao-wang, thanks for the feedback.

When we develop the application we tried to make it as minimal as possible, so we can deliver a usable version quickly, therefore, only data in the database was encrypted, and the responsibility of transport layer safety is leveraged to users. But now since we don't have pressure on a timeline I think we can make it better as you mentioned.

hyrepo avatar May 31 '21 15:05 hyrepo