Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ULNRemotes expose username/password in the serializer. #2428

Closed
ggainey opened this issue Mar 18, 2022 · 0 comments · Fixed by #2438
Closed

ULNRemotes expose username/password in the serializer. #2428

ggainey opened this issue Mar 18, 2022 · 0 comments · Fixed by #2438
Assignees
@dralley
Labels
Issue

Comments

@ggainey
Copy link
Contributor

ggainey commented Mar 18, 2022

Version
rpm/3.18-dev
core/3.19-dev

Describe the bug
Serializers shouldn't expose sensitive information. UlnRemoteSerializer, alas, does.

To Reproduce

http POST :/pulp/api/v3/remotes/rpm/uln/ name=ulnremote url=uln://uln username=foo password=bar
{
    "ca_cert": null,
    "client_cert": null,
    "connect_timeout": null,
    "download_concurrency": null,
    "headers": null,
    "max_retries": null,
    "name": "ulnremote",  
    "password": "bar",      <========== PASSWORD EXPOSED
    "policy": "immediate",
    "proxy_url": null,
    "pulp_created": "2022-03-18T12:21:51.029375Z",
    "pulp_href": "/pulp/api/v3/remotes/rpm/uln/3ddb3442-df7a-4845-81dc-4286b716daa5/",
    "pulp_labels": {},
    "pulp_last_updated": "2022-03-18T12:21:51.029391Z",
    "rate_limit": null,
    "sock_connect_timeout": null,
    "sock_read_timeout": null,
    "tls_validation": true,
    "total_timeout": null,
    "uln_server_base_url": null,
    "url": "uln://uln",
    "username": "foo"   <========== USERNAME EXPOSED
}

Expected behavior
We can't expose sensitive information in the serializers. UlnRemote needs to protect username/password like the default remote.

Additional context
UlnRemote needs some work, it overrides fields from base Remote that it doesn't need to. If UlnRemote didn't have its "own" username/password, this bug wouldn't exist.
@dralley dralley self-assigned this Mar 25, 2022
dralley added a commit to dralley/pulp_rpm that referenced this issue Mar 25, 2022
@dralley
Username and password fields on ULN Remotes should be hidden
a0285a4 
closes pulp#2428
@dralley dralley mentioned this issue Mar 25, 2022
Merged
dralley added a commit to dralley/pulp_rpm that referenced this issue Mar 25, 2022
@dralley
Username and password fields on ULN Remotes should be hidden
047fa9f 
closes pulp#2428
dralley added a commit to dralley/pulp_rpm that referenced this issue Mar 25, 2022
@dralley
Username and password fields on ULN Remotes should be hidden
b3d9279 
closes pulp#2428
dralley added a commit that referenced this issue Mar 25, 2022
@dralley
Username and password fields on ULN Remotes should be hidden
1616552 
closes #2428
patchback bot pushed a commit that referenced this issue Mar 25, 2022
@dralley @patchback
Username and password fields on ULN Remotes should be hidden
1d98b8d 
closes #2428

(cherry picked from commit 1616552)
@patchback patchback bot mentioned this issue Mar 25, 2022
Merged
dralley added a commit that referenced this issue Mar 25, 2022
@dralley
Username and password fields on ULN Remotes should be hidden
8b4cb3c 
closes #2428

(cherry picked from commit 1616552)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dralley dralley

Labels
Issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Username and password fields on ULN Remotes should be hidden dralley/pulp_rpm
2 participants
@dralley @ggainey