CA database credentials exposed to console user

Question

CA database credentials exposed to console user

arner opened this issue a year ago · comments

The console calls the backend API at /api/v3/components?deployment_attrs=included.

The response is a JSON that contains the components of the organization. The field componentx[i].ca.db.datasource contains the full connection string to the database, including the username and password of the database user.

This information is (as far as I can tell) not used by the UI, but exposing it is a security risk; it should be redacted like the admin identities.

dshuffma-ibm commented a year ago

#482

dshuffma-ibm commented a year ago

#492

dshuffma-ibm · Answer 1 · Thu May 11 2023 02:34:40 GMT+0800 (China Standard Time)

@arner seems like a reasonable request

dshuffma-ibm · Answer 2 · Wed May 31 2023 22:36:40 GMT+0800 (China Standard Time)

fixed in builds v1.0.5-20 and higher

Arne · Answer 3 · Fri Jun 02 2023 17:30:09 GMT+0800 (China Standard Time)

Thanks but this does not solve the complete issue. I tested on fabric-console:1.0.5-21 and the tlsca still leaks the datasource field.

We might have to add:

			// remove sensitive fields from a TLS CA response
			if (doc.tlsca && doc.tlsca.db) {
				delete doc.tlsca.db.datasource;
			}
			if (doc.config_override && doc.config_override.tlsca && doc.config_override.tlsca.db) {
				delete doc.config_override.tlsca.db.datasource;
			}

@dshuffma-ibm can this issue be reopened?

dshuffma-ibm · Answer 4 · Fri Jun 02 2023 21:07:55 GMT+0800 (China Standard Time)

@arner yep, thanks for checking on it

Arne · Answer 5 · Wed Jun 14 2023 16:33:52 GMT+0800 (China Standard Time)

Thank you, resolved!