Skip to content

Secret object parameters in the CLI and Web are no longer redacted #4235

New issue
New issue
Closed
Closed
Secret object parameters in the CLI and Web are no longer redacted#4235
Labels
bugregressionsecurity
Milestone
2.8.1
@jjm

Description

@jjm
jjm
opened on Jul 10, 2018
SUMMARY

Following an upgrade to ST2 2.8.0, I found parameters with an type of object and marked as secret: true were not being redacted for both the WebUI and CLI.

ISSUE TYPE
  • Bug Report
STACKSTORM VERSION
st2 2.8.0, on Python 2.7.6
OS / ENVIRONMENT / INSTALL METHOD

docker via st2-docker.

STEPS TO REPRODUCE

Have an action (e.g. aws_boto3.boto3action) that takes an object as a parameter and marked as secret: true.

When running the action with the following parameters :

parameters:
  region:
    type: "string"
    description: "Region where action is performed"
    default: "eu-west-1"
  credentials:
    type: "object"
    description: "An AWS credentials object"
    secret: true
EXPECTED RESULTS

The secret parameter should be redacted, the following output is from v2.7.x:

parameters:
  credentials: '********'
  region: eu-west-1
ACTUAL RESULTS
id: 5b44b87390be8400f0b121b7
status: succeeded
parameters:
  credentials:
    Credentials:
      AccessKeyId: <deleted-non-redacted-key>
      Expiration: '2018-07-10 14:42:52'
      SecretAccessKey: <deleted-non-redacted-key>
      SessionToken: deleted-non-redacted-key
  region: eu-west-1
result:
  exit_code: 0
  result:
    allocation_ids: []
    no_association_ids: []
  stderr: ''
  stdout: ''

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugregressionsecurity

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions