Skip to content

Ensure values of fields with type password are redacted in API response #21809

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 18, 2024
Merged

Ensure values of fields with type password are redacted in API response #21809

merged 2 commits into from
Jan 18, 2024

Conversation

sgiehl
Copy link
Member

@sgiehl sgiehl commented Jan 15, 2024
edited
Loading

Description:

Plugins are able to define the own system, user and/or measurable settings. See https://developer.matomo.org/guides/plugin-settings
The system settings for all plugins are currently available using the API CorePluginsAdmin.getSystemSettings
The response includes all defined settings including their current value.

This currently makes it possible for a super user to also see values of fields, that are defined as password field.
For certain values it might be unwanted that a super user sees the value another super user might have configured.
Therefor this PR aims to replace values of password fields with *****, so they are no longer visible in the API response.

fixes DEV-16785

Review

@sgiehl sgiehl added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review labels Jan 15, 2024
@sgiehl sgiehl added this to the 5.1.0 milestone Jan 15, 2024
@sgiehl sgiehl marked this pull request as ready for review January 15, 2024 14:30
@sgiehl sgiehl requested a review from a team January 15, 2024 14:50
@michalkleiner
Copy link
Contributor

michalkleiner commented Jan 15, 2024
edited
Loading

Can we adjust an existing test or add a new test for this?

@sgiehl
Copy link
Member Author

sgiehl commented Jan 16, 2024

Not too easily. We don't use any password settings in core. Except of an example in the ExampleSettingsPlugin. But that one doesn't have tests or is enabled in tests at all. Might be easier to add tests for that in QueuedTracking plugin, where such a setting is really used. But I can look into it and see if we can somehow inject a fake setting for tests only

@michalkleiner
Copy link
Contributor

Fair enough. With this change I'd say we probably want to have it covered somewhere as to not have a sudden regression where the password would become visible again.

@sgiehl
Copy link
Member Author

sgiehl commented Jan 16, 2024

I've now added a test

@michalkleiner
Copy link
Contributor

Thanks for adding the test, that all looks good.

One last question that just crossed my mind — shall we throw an exception when someone tries to set the password to ****** (the value of the masked placeholder)?

@sgiehl
Copy link
Member Author

sgiehl commented Jan 18, 2024

One last question that just crossed my mind — shall we throw an exception when someone tries to set the password to ****** (the value of the masked placeholder)?

Currently this value is simply ignored. Throwing an exception would break it, as the UI sends this value to the backend. I don't really see a solution how to change that. We could adjust the UI to avoid sending through the placeholder at all. But it would then also be not possible to distinguish if the placeholder was provided manually to the input field. So the UI would then ignore the value and not the backend...

@michalkleiner
Copy link
Contributor

I guess the best way around it is to implement a password validator requiring a set of different character types in a password that would prevent using six asterisk characters by default, but that's out of scope here. All good.

👍

@sgiehl sgiehl merged commit 2d31f73 into 5.x-dev Jan 18, 2024
@sgiehl sgiehl deleted the dev-16785 branch January 18, 2024 11:23
@sgiehl sgiehl modified the milestones: 5.1.0, 5.0.2 Jan 18, 2024
sgiehl added a commit that referenced this pull request Feb 5, 2024
@sgiehl
Ensure values of fields with type password are redacted in API respon…
edcbb44 
…se (#21809)

* Ensure values of fields with type password are redacted in API response

* Add test
@sgiehl sgiehl mentioned this pull request Feb 5, 2024
Merged
11 tasks
sgiehl added a commit that referenced this pull request Feb 5, 2024
@sgiehl
Ensure values of fields with type password are redacted in API respon…
43a230d 
…se (#21809) (#21881)

* Ensure values of fields with type password are redacted in API response

* Add test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalkleiner michalkleiner michalkleiner approved these changes

Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review
Milestone
5.0.2
Development

Successfully merging this pull request may close these issues.
2 participants
@sgiehl @michalkleiner