Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Ensure password inputs are always masked #78

Merged
merged 2 commits into from
Mar 8, 2023
Merged

feat: Ensure password inputs are always masked #78

merged 2 commits into from
Mar 8, 2023

Conversation

mydea
Copy link
Member

@mydea mydea commented Mar 7, 2023

This PR does two things:

  1. Ensure you cannot opt-out of masking type="password" inputs
  2. Ensure inputs that used to have type=password and have this type changed (so e.g. through a "show password" toggle) always keep the password masked, even afterwards.

We should never record passwords, and e.g. toggle password type buttons are quite common and would easily leak the password into the replay as of now.

We do this by adding a rr_is_password attribute to the HTML input when the type is changed from password to something else. This is IMHO the easiest solution for this, and since we only add this when the type is really changed (so not eagerly for all inputs) IMHO it's an acceptable tradeoff to have this in the DOM.

Closes #34

@mydea mydea requested review from billyvg and Lms24 March 7, 2023 12:12
@mydea mydea self-assigned this Mar 7, 2023
billyvg
billyvg approved these changes Mar 7, 2023
View reviewed changes
Copy link
Member

@billyvg billyvg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something we'd want to upstream? If so it should probably an option, though we could start an issue since 2.0 would be a good place to make that breaking change.

The password -> text is a good candidate to upstream though 👍

packages/rrweb/test/integration.test.ts
// Change type to text (simulate "show password")
await page.click('#show-password');
await page.type('#password', 'XY');
await page.click('#show-password');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This toggles it back to type: password? It might be better to test leaving it as text

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We test before this line (on 512) that it works while being a text field, so I think this should be OK?

Lms24
Lms24 approved these changes Mar 8, 2023
View reviewed changes
Copy link
Member

@Lms24 Lms24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks for addressing this!

@mydea
Copy link
Member Author

mydea commented Mar 8, 2023

Is this something we'd want to upstream? If so it should probably an option, though we could start an issue since 2.0 would be a good place to make that breaking change.

The password -> text is a good candidate to upstream though 👍

Yeah, I think the type change stuff makes sense to upstream. Not sure if they would like to have the "do not allow to opt-out of password" stuff upstream, but I guess I can also just ask!

@mydea
Copy link
Member Author

mydea commented Mar 8, 2023

Added upstream PR: rrweb-io#1170

@mydea mydea merged commit 42ce5ae into sentry-v1 Mar 8, 2023
@mydea mydea deleted the fn/never-unmask-passwords branch March 8, 2023 11:53
@bruno-garcia bruno-garcia mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@billyvg billyvg billyvg approved these changes

@Lms24 Lms24 Lms24 approved these changes

Assignees

@mydea mydea

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Never unmask password inputs
3 participants
@mydea @billyvg @Lms24