st2 icon indicating copy to clipboard operation
st2 copied to clipboard
verified publisher icon StackStorm

Stackstorm UI not masking the secret values

Open kkawatra09 opened this issue 1 year ago • 3 comments

SUMMARY

Provide a quick summary of your bug report. The API and Logs have the option to mask the secrets but the execution history in the GUI is showing the secrets in plain text

STACKSTORM VERSION

Paste the output of st2 --version: st2 3.8.1, on Python 3.8.10

OS, environment, install method

Ubuntu, Docker

Post what OS you are running this on, along with any other relevant information/

  • e.g. Docker, Vagrant, Kubernetes, etc. Describe how you installed ST2
  • e.g. one-line install, custom install, etc -->

Steps to reproduce the problem

st2 key set github_key test-value --encrypt

GUI: Actions -> Packs -> download Packs: https://:{{ st2kv.system.github_key | decrypt_kv }}@

CLI st2 pack install https://:{{ st2kv.system.github_key | decrypt_kv }}@

Show how to reproduce the problem, using a minimal test-case. Make sure to include any content (pack content - workflows, actions, etc.) which are needed to reproduce the problem.

Expected Results

What did you expect to happen when running the steps above? https://:******@

Actual Results

cmdline: git clone -v -- https://:@ But GUI is showing the key in plain text What happened? What output did you get?

Making sure to follow these steps will guarantee the quickest resolution possible.

Thanks!

kkawatra09 avatar Oct 31 '24 00:10 kkawatra09

This is not a bug, but rather you expecting it to do something it's not meant to do. The secret masking works only on fields and inputs marked as secret. If you enter a password into a plaintext field that's not marked as such, the engine is going to display it as a non-secret.

Even with "secret" fields be aware that: 1, they're not encrypted and are stored in the DB as plaintext fields. It's the API that's doing the masking. There's a PR to fix this 2, they can still be shown in the GUI if you click on the "Preview" button (I have a fix for this in my codebase, but can't bring myself to do a PR) 3, for python actions, even secrets are provided to the scripts as plaintext values and are capturable via "ps -ef | grep wrapper" if the action runs long enough, even by a non-admin user that has access to the system (or can execute ps -ef | grep wrapper via other means.

fdrab avatar Oct 31 '24 11:10 fdrab

How do we mark something as a secret other than using "--encrypt" when we store it in the database? In my request I didn't type in the password in plain text, I referred to a key which was marked as a secret https://:{{ st2kv.system.github_key | decrypt_kv }}@

Also, how come its masked in the CLI and API but not GUI.

Similar to API and log below [api] mask_secrets = True

[log] mask_secrets = True

Maybe we can add a similar option to [webui] mask_secrets = True

kkawatra09 avatar Oct 31 '24 16:10 kkawatra09

In the yaml definition of the action. In this case you'd have to fork the st2_pack install action

fdrab avatar Oct 31 '24 16:10 fdrab