New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(bridges): obfuscate the password in bridges API responses #9593
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm afraid the situation is a bit more complicated than what it seems to be.
Since the GET response is used for dashboard to pre-fill the text boxes so the user can update some fields and click the "Save" or "Update" button to update bridge configuration, we'll need to handle the case in which the sensitive filed is provided with value <<"******">> then we do not update the password for this config.
Otherwise for whatever they want to update, they will have to re-fill the password box.
super inconvenient, but also not making it more secure than before because the user
would likely have to copy-paste the password over and over again, i.e. actually higher chance to leak it.
9c74a3f
to
a514eb1
Compare
cba18d2
to
0f922a8
Compare
62501c8
to
82196d2
Compare
9261775
to
e80c977
Compare
e80c977
to
69c7b41
Compare
port
redact
from 4.3 to master, and obfuscate sensitive data in the response when queryingbridges
information by APIfix EMQX-8374