WebUI shows secrets in plain text on Rules/Enforcements section

[nicholasamorim]

SUMMARY

Web UI shows variables marked as secret: true in plain text on Rules/Enforcements.

st2 CLI correctly masks it.

STACKSTORM VERSION

st2 3.1.0 running on Python 2.7

OS, environment, install method

Docker

Steps to reproduce the problem

---
name: full_backup
pack: mongodb
enabled: true
description: Performs a backup of MongoDB
runner_type: orquesta
entry_point: workflows/full_backup.yaml
parameters:
  mongodb_password:
    default: "{{ st2kv.system.mongodb_admin_password | decrypt_kv }}"
    type: string
    secret: true

version: 1.0
description: A workflow that backs up Mongo
input:
  - mongodb_password
vars:
  - stdout: null
  - stderr: null

tasks:
  run_backup_playbook:
    action: core.noop
output:
  - stdout: <% ctx(stdout) %>

Expected Results

For the Web UI to mask the password. But it shows on Web UI shows the password in Rules/Enforcements tab.

Using the st2 CLI execution get correctly masks the secrets.

Actual Results

Web UI shows the password in Rules/Enforcements tab. Open an execution and the password is shown in ACTION INPUT.