Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mask password fields of inputs returned by the REST API. (#5432) #5733

Merged
merged 2 commits into from Feb 28, 2019

Conversation

Projects
None yet
3 participants
@bernd
Copy link
Member

bernd commented Feb 28, 2019

  • Mask password fields of inputs returned by the REST API.

Before this change, input details returned by the REST API would contain
all configuration fields without any modification. This implies that
password fields are also contained using their original value, showing
configured password for inputs in clear text.

This change now iterates over configuration fields checking for the
presence of password fields and replace their content with <password set> instead of the original value if they are not empty.

Fixes #5408.

  • Adding test for actual resource method, including license headers.

  • Adding test for complete input list retrievel.

  • Adding guard clause for null parameters.

  • Using locales for toLowerCase.

  • Handling null values in map.

  • Do not mask passwords in input config for users with edit permission.

If a user contains the required permission to edit an input, passwords
in the input's config are not masked. This is prevented so the input
edit dialog still functions in the same way as before.

  • Adding/adapting tests.

(cherry picked from commit a562a33)

Mask password fields of inputs returned by the REST API. (#5432)
* Mask password fields of inputs returned by the REST API.

Before this change, input details returned by the REST API would contain
all configuration fields without any modification. This implies that
password fields are also contained using their original value, showing
configured password for inputs in clear text.

This change now iterates over configuration fields checking for the
presence of password fields and replace their content with `<password
set>` instead of the original value if they are not empty.

Fixes #5408.

* Adding test for actual resource method, including license headers.

* Adding test for complete input list retrievel.

* Adding guard clause for null parameters.

* Using locales for toLowerCase.

* Handling null values in map.

* Do not mask passwords in input config for users with edit permission.

If a user contains the required permission to edit an input, passwords
in the input's config are not masked. This is prevented so the input
edit dialog still functions in the same way as before.

* Adding/adapting tests.

(cherry picked from commit a562a33)

@bernd bernd added this to the 2.5.2 milestone Feb 28, 2019

@bernd bernd requested a review from edmundoa Feb 28, 2019

Fixing import. (#5465)
(cherry picked from commit a9a1df0)

@edmundoa edmundoa merged commit 6a70c4b into 2.5 Feb 28, 2019

2 of 4 checks passed

ci-web-linter Jenkins build graylog-pr-linter-check 3403 has failed
Details
continuous-integration/travis-ci/pr The Travis CI build failed
Details
graylog-project/pr Jenkins build graylog-project-pr-snapshot 3217 has succeeded
Details
license/cla Contributor License Agreement is signed.
Details

@edmundoa edmundoa deleted the pr-5432-2.5 branch Feb 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.