CA database credentials exposed to console user
arner opened this issue · comments
The console calls the backend API at /api/v3/components?deployment_attrs=included
.
The response is a JSON that contains the components of the organization. The field componentx[i].ca.db.datasource
contains the full connection string to the database, including the username and password of the database user.
This information is (as far as I can tell) not used by the UI, but exposing it is a security risk; it should be redacted like the admin identities.
@arner seems like a reasonable request
fixed in builds v1.0.5-20 and higher
Thanks but this does not solve the complete issue. I tested on fabric-console:1.0.5-21 and the tlsca still leaks the datasource field.
We might have to add:
// remove sensitive fields from a TLS CA response
if (doc.tlsca && doc.tlsca.db) {
delete doc.tlsca.db.datasource;
}
if (doc.config_override && doc.config_override.tlsca && doc.config_override.tlsca.db) {
delete doc.config_override.tlsca.db.datasource;
}
@dshuffma-ibm can this issue be reopened?
@arner yep, thanks for checking on it
Thank you, resolved!