Mask password fields of inputs returned by the REST API. (#5432) #5734
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Mask password fields of inputs returned by the REST API. Before this change, input details returned by the REST API would contain all configuration fields without any modification. This implies that password fields are also contained using their original value, showing configured password for inputs in clear text. This change now iterates over configuration fields checking for the presence of password fields and replace their content with `<password set>` instead of the original value if they are not empty. Fixes #5408. * Adding test for actual resource method, including license headers. * Adding test for complete input list retrievel. * Adding guard clause for null parameters. * Using locales for toLowerCase. * Handling null values in map. * Do not mask passwords in input config for users with edit permission. If a user contains the required permission to edit an input, passwords in the input's config are not masked. This is prevented so the input edit dialog still functions in the same way as before. * Adding/adapting tests. (cherry picked from commit a562a33)
(cherry picked from commit a9a1df0)
edmundoa
approved these changes
Feb 28, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this change, input details returned by the REST API would contain
all configuration fields without any modification. This implies that
password fields are also contained using their original value, showing
configured password for inputs in clear text.
This change now iterates over configuration fields checking for the
presence of password fields and replace their content with
<password set>instead of the original value if they are not empty.Fixes #5408.
Adding test for actual resource method, including license headers.
Adding test for complete input list retrievel.
Adding guard clause for null parameters.
Using locales for toLowerCase.
Handling null values in map.
Do not mask passwords in input config for users with edit permission.
If a user contains the required permission to edit an input, passwords
in the input's config are not masked. This is prevented so the input
edit dialog still functions in the same way as before.
(cherry picked from commit a562a33)