Description of problem: the dialog_parser method writes the hashed dialog fields into the log file - this could be a security problem. This didn't happen in previous releases - you only saw ****** - now you see the hashed data Version-Release number of selected component (if applicable): 5.9.3 How reproducible: always Steps to Reproduce: 1. create a Service Dialog with a "restricted" element 2. order the service dialog from the catalog 3. check output of dialog_parser Actual results: you will see the hashed data provided by the user Expected results: there should be no user data in the log Additional info:
Hi Christian, Thanks for the update. I'm going to change this ticket to be more generic. Regards, Tina
https://github.com/ManageIQ/manageiq/pull/17986
https://github.com/ManageIQ/manageiq-automation_engine/pull/228
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/2247c8a028940a82d3e9fd1fa29d4e8e64e5629e commit 2247c8a028940a82d3e9fd1fa29d4e8e64e5629e Author: Lucy Fu <lufu> AuthorDate: Thu Sep 13 10:46:57 2018 -0400 Commit: Lucy Fu <lufu> CommitDate: Thu Sep 13 10:46:57 2018 -0400 Add regex for dialog password fields. https://bugzilla.redhat.com/show_bug.cgi?id=1619385 app/models/miq_request_workflow.rb | 2 +- spec/models/miq_request_workflow_spec.rb | 6 + 2 files changed, 7 insertions(+), 1 deletion(-)
https://github.com/ManageIQ/manageiq-gems-pending/pull/373
New commits detected on ManageIQ/manageiq-automation_engine/master: https://github.com/ManageIQ/manageiq-automation_engine/commit/c9a6e9803760f8c1dad48715eb9178cd03bfad2a commit c9a6e9803760f8c1dad48715eb9178cd03bfad2a Author: Lucy Fu <lufu> AuthorDate: Thu Sep 13 09:33:17 2018 -0400 Commit: Lucy Fu <lufu> CommitDate: Thu Sep 13 09:33:17 2018 -0400 The "_id" attribute should be added only for VMDB objects. The "_id" attribute is not meant for fields like password::dialog_password_field. https://bugzilla.redhat.com/show_bug.cgi?id=1619385 lib/miq_automation_engine/engine/miq_ae_engine/miq_ae_object.rb | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) https://github.com/ManageIQ/manageiq-automation_engine/commit/4a3cf53f7f61aa5b00661081042ac17f5c7253cb commit 4a3cf53f7f61aa5b00661081042ac17f5c7253cb Author: Lucy Fu <lufu> AuthorDate: Thu Sep 13 09:28:19 2018 -0400 Commit: Lucy Fu <lufu> CommitDate: Thu Sep 13 09:28:19 2018 -0400 Hide the password value in automate and evm.log. https://bugzilla.redhat.com/show_bug.cgi?id=1619385 lib/miq_automation_engine/engine/miq_ae_engine.rb | 10 +- lib/miq_automation_engine/engine/miq_ae_engine/miq_ae_domain_search.rb | 2 +- lib/miq_automation_engine/engine/miq_ae_engine/miq_ae_workspace_runtime.rb | 2 +- lib/miq_automation_engine/engine/miq_ae_method_service/miq_ae_service.rb | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-)
New commit detected on ManageIQ/manageiq-gems-pending/master: https://github.com/ManageIQ/manageiq-gems-pending/commit/744d4c983cdb5ab8ba68e68938860e2dd3e11dd7 commit 744d4c983cdb5ab8ba68e68938860e2dd3e11dd7 Author: Lucy Fu <lufu> AuthorDate: Fri Sep 14 13:20:18 2018 -0400 Commit: Lucy Fu <lufu> CommitDate: Fri Sep 14 13:20:18 2018 -0400 Add regex for URL encoded password value. https://bugzilla.redhat.com/show_bug.cgi?id=1619385 lib/gems/pending/util/miq-password.rb | 7 +- spec/util/miq-password_spec.rb | 6 +- 2 files changed, 8 insertions(+), 5 deletions(-)
New commit detected on ManageIQ/manageiq-gems-pending/hammer: https://github.com/ManageIQ/manageiq-gems-pending/commit/448fc49b99ee8eb97c532450287337eb82978054 commit 448fc49b99ee8eb97c532450287337eb82978054 Author: Brandon Dunne <brandondunne> AuthorDate: Tue Sep 25 14:52:08 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Tue Sep 25 14:52:08 2018 -0400 Merge pull request #373 from lfu/password_log_1619385 Changes to MiqPassword.sanitize_string to support URL encoded password. (cherry picked from commit 2fa61e91ce5eeba1dc969e38c76faaee61cb7eb6) https://bugzilla.redhat.com/show_bug.cgi?id=1619385 lib/gems/pending/util/miq-password.rb | 7 +- spec/util/miq-password_spec.rb | 6 +- 2 files changed, 8 insertions(+), 5 deletions(-)
https://github.com/ManageIQ/manageiq/pull/18028
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/e0f463be18b1afed262cf40fa63ae33a03c25d64 commit e0f463be18b1afed262cf40fa63ae33a03c25d64 Author: Lucy Fu <lufu> AuthorDate: Thu Sep 27 14:03:14 2018 -0400 Commit: Lucy Fu <lufu> CommitDate: Thu Sep 27 14:03:14 2018 -0400 Hide the password values in the log messages. https://bugzilla.redhat.com/show_bug.cgi?id=1619385 app/models/manageiq/providers/embedded_ansible/automation_manager/playbook.rb | 3 +- 1 file changed, 2 insertions(+), 1 deletion(-)
New commit detected on ManageIQ/manageiq/hammer: https://github.com/ManageIQ/manageiq/commit/bf5c14fce3f3d9681369e0132d2bbc7489426ab0 commit bf5c14fce3f3d9681369e0132d2bbc7489426ab0 Author: Greg McCullough <gmccullo> AuthorDate: Thu Sep 27 14:39:57 2018 -0400 Commit: Greg McCullough <gmccullo> CommitDate: Thu Sep 27 14:39:57 2018 -0400 Merge pull request #18028 from lfu/password_log_2_1619385 Hide the password values in the log messages. (cherry picked from commit 4aee0f3931a86a3b68f8305ee7d56c78df91b056) https://bugzilla.redhat.com/show_bug.cgi?id=1619385 app/models/manageiq/providers/embedded_ansible/automation_manager/playbook.rb | 3 +- 1 file changed, 2 insertions(+), 1 deletion(-)
Fixed and verified in 5.10.0.19.20181009184346_1c8bf5d. Passwords hashes are not shown in the logs, "*" characters shown instead.