-
-
Notifications
You must be signed in to change notification settings - Fork 657
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/management/info exposes sensitive data #554
Comments
This security issue has been fixed. See #544 for more details. @pascalgrimaud Can we do a release of jhipster registry ? |
@juliensadaoui : do you know how to do the release ? If yes, go ahead |
I don't know how to do it completely |
@juliensadaoui : ok, then I'll take care of it, maybe after lunch |
Duplicate issue #544 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview of the issue
By default /management/info is unprotected but can expose sensitive data. I am using git as backend and info page is showing git url as well as ssh key (!?).
I've tried removing info page from management.endpoints.web.exposure.include but that caused other issues, like home page not opening username/password prompt window. Clicking on 'Please sing in' didn't do anything so I had to open /registry/applications to get credentials prompt.
Motivation for or Use Case
Reproduce the error
Remove info from management.endpoints.web.exposure.include or remove
.antMatchers("/management/info").permitAll()
from JWTSecurityConfiguration.java (and rebuild)
Same happens with .antMatchers("/management/info").hasAuthority(AuthoritiesConstants.ADMIN)
Related issues
Suggest a Fix
info page should not show sensitive data. Or perhaps similar to /health page, show all info if authorized, otherwise show just non-sensitive data.
JHipster Registry Version(s)
I've tried v6.8 and v7.3.0 and behavior is same.
Browsers and Operating System
Chrome, Firefox on Windows10
The text was updated successfully, but these errors were encountered: