Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Remove transmission of passwords and authentication tokens in settings

Description

If possible, it would be preferable not to transmit to the client the passwords or authentication tokens in:

  • Settings > LDP > Database configuration > Password

  • Settings > LDP > Saved queries configuration > OAuth token for access to repository

GET /ldp/config - replace password by empty string in dbinfo, replace token by empty string in sqconfig

GET /ldp/config/dbinfo - replace password by empty string
PUT /ldp/config/dbinfo - if new password is empty string don't overwrite the stored string
GET /ldp/config/sqinfo - replace token by empty string
PUT /ldp/config/sqinfo - if new token is empty string don't overwrite the stored token
 

Environment

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Craig McNally June 16, 2022 at 3:26 PM

the security team is wondering when your team might be able to address this.

Mike Taylor March 31, 2022 at 8:28 AM

Ah, I see – making the write-only. Makes sense.

Nassib Nassar March 31, 2022 at 12:43 AM

This is about not transmitting them from the server to the client.

Mike Taylor March 30, 2022 at 11:45 PM

(Looks like the original bug-report in Jira was about these credentials being logged when they are set.)

Mike Taylor March 30, 2022 at 11:44 PM

How, in principle, can this be avoided? If we want to allow users to configure these details in the Settings UI, then surely they have to be transmitted?

Done

Details

Assignee

Reporter

Labels

Priority

Development Team

Thor

Fix versions

Release

Morning Glory (R2 2022)

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created February 18, 2022 at 7:34 PM
Updated February 13, 2025 at 2:37 PM
Resolved July 5, 2022 at 3:57 PM
Configure
TestRail: Cases
TestRail: Runs