Skip to content

Commit

Permalink
Fix the potential vulnerability of password showcase of external prov…
Browse files Browse the repository at this point in the history
…iders

CVE-2024-7259

Issue: Password was visible for external providers after changing input type from password to text in browser developer tools (Inspect tools).

Fix: Added the logic for sending the ******* as password text to UI and updating the password only if user makes any change in password.

Signed-off-by: Saksham Srivastava <[email protected]>
  • Loading branch information
saksham-oracle authored and sandrobonazzola committed Oct 18, 2024
1 parent ff9d113 commit 4ad9306
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public EditProviderModel(SearchableListModel sourceListModel, Provider provider)
getUrl().setEntity(provider.getUrl());
getRequiresAuthentication().setEntity(provider.isRequiringAuthentication());
getUsername().setEntity(provider.getUsername());
getPassword().setEntity(provider.getPassword());
getPassword().setEntity("********"); //$NON-NLS-1$
if (provider.isRequiringAuthentication() && provider.getType().isAuthUrlAware()) {
Uri uri = new Uri(provider.getAuthUrl());
if (uri.isValid()) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -648,7 +648,9 @@ private void flush() {
provider.setRequiringAuthentication(authenticationRequired);
if (authenticationRequired) {
provider.setUsername(getUsername().getEntity());
if(!getPassword().getEntity().equals("********")) { //$NON-NLS-1$
provider.setPassword(getPassword().getEntity());
}
if (getTenantName().getIsAvailable()) {
OpenStackProviderProperties properties = getOpenStackProviderProperties();
properties.setTenantName(getTenantName().getEntity());
Expand Down

0 comments on commit 4ad9306

Please sign in to comment.