Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide sensitive data from audit dashboard after updating a stream #4947

Closed
Hassen-BENNOUR opened this issue Jun 16, 2022 · 8 comments
Closed

Hide sensitive data from audit dashboard after updating a stream #4947

Hassen-BENNOUR opened this issue Jun 16, 2022 · 8 comments
Assignees
@corneil
Labels
status/in-progress Something is happening
Milestone
2.9.5

Comments

@Hassen-BENNOUR
Copy link

Hassen-BENNOUR commented Jun 16, 2022
edited
Loading

Description:
When i update a stream, local platform, sensitives data are not hidden from stream properties on the audit dashboard and displayed.
Only on update audit type.

Release versions:
Version: 2.9.3

Steps to reproduce:
Any update Stream from REST API or UI causes the passwords from stream properties are not hidden in the audit dashboard.

Screenshots:
image

Additional context:
convertPropertiesToSkipperYaml must hide sensitive data
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Jun 16, 2022
@markpollack markpollack added this to the 2.9.5 milestone Jun 16, 2022
@markpollack
Copy link
Contributor

thanks for pointing this out, we will address this shortly in the next point release

@markpollack markpollack removed the status/need-triage Team needs to triage and take a first look label Jun 16, 2022
@cppwfs cppwfs added the status/in-progress Something is happening label Jun 16, 2022
@markpollack markpollack assigned corneil and unassigned onobc Jun 21, 2022
@markpollack
Copy link
Contributor

See current usage of ArgumentSanitizer.java

@Hassen-BENNOUR
Copy link
Author

Hi guys,
Today I've seen another service who's exposing credentials or secrets.
From the dashboard on the stream deployment page, when a stream is deployed the dashboard retrieve stream history and manifests... informations are not hidden from services responses and displayed as is.
Get Deployment History i think, I'll check, https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#api-guide-resources-stream-deployment-history
So i think that is more secure to create a http filter or a HandlerInterceptor to intercept all responses and sanitize them apart from the audit ?

@corneil
Copy link
Contributor

corneil commented Jun 24, 2022

@Hassen-BENNOUR is this the logging of the dataflow or skipper apps?

@Hassen-BENNOUR
Copy link
Author

@corneil
Logging of Dataflow, retrieved from skipper i think.
I've dont checked yet skipper services.

@markpollack
Copy link
Contributor

fixed in #4955

@corneil corneil mentioned this issue Jun 28, 2022
Closed
@Hassen-BENNOUR
Copy link
Author

@markpollack @corneil
The issue is not resolved in Core: 2.10.3 (Spring Cloud Data Flow Core) as you can see in screenshots below

The update stream operation still show secrets on the UI ans services

image

image

@onobc onobc reopened this Aug 31, 2023
@onobc onobc mentioned this issue Aug 31, 2023
Closed
@onobc
Copy link
Contributor

onobc commented Aug 31, 2023

Hi @Hassen-BENNOUR , thanks for the heads up. We re-opened this issue for visibility and then will now track this under #5452.

@onobc onobc closed this as completed Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneil corneil

Labels
status/in-progress Something is happening
Projects
None yet
Milestone
2.9.5
Development

No branches or pull requests
5 participants
@markpollack @corneil @cppwfs @Hassen-BENNOUR @onobc