1817485 – Invoked Receptor installation job shows plaintext password in user inputs

Bug 1817485 - Invoked Receptor installation job shows plaintext password in user inputs

Summary: Invoked Receptor installation job shows plaintext password in user inputs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Ansible
Sub Component:
Version:	6.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Marek Hulan
QA Contact:	Lukáš Hellebrandt
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-26 12:33 UTC by Lukáš Hellebrandt
Modified:	2020-04-14 19:09 UTC (History)
CC List:	4 users (show)
Fixed In Version:	tfm-rubygem-foreman_remote_execution-2.0.10
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-14 19:09:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	29465	0	High	Closed	Invoked Receptor installation job shows plaintext password in user inputs	2020-10-29 20:15:16 UTC

Description Lukáš Hellebrandt 2020-03-26 12:33:08 UTC

Description of problem:
After invoking a Configure Cloud Connector job, Receptor user credentials are shown in Job Invocation's "User Inputs" part which is accessible to any user with "Remote Execution User" role. This user can login as Receptor user, misusing whatever rights that user has.
Similar to bug 1814998.

Version-Release number of selected component (if applicable):
Sat 6.7 snap 17, NOT regression

How reproducible:
Deterministic

Steps to Reproduce:
1. Hosts -> Job Templates -> run Configure Cloud Connector
2. Select hosts, enter (required) satellite_user and satellite_password
3. As any user that can do it, open the job invocation

Actual results:
You can see satellite_user and satellite_password in plaintext

Expected results:
You shouldn't be able to get these values in any way through Satellite

Additional info:
It's expectable that the passwords are stored somewhere (e.g. database) and they can be accessed there

Comment 3 Marek Hulan 2020-04-02 19:58:27 UTC

Created redmine issue https://projects.theforeman.org/issues/29465 from this bug

Comment 4 Bryan Kearney 2020-04-02 20:02:42 UTC

Upstream bug assigned to mhulan

Comment 5 Bryan Kearney 2020-04-02 20:02:44 UTC

Upstream bug assigned to mhulan

Comment 6 Bryan Kearney 2020-04-03 14:02:44 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/29465 has been resolved.

Comment 7 Lukáš Hellebrandt 2020-04-06 15:36:43 UTC

Verified with Sat 6.7 snap 20. Passwords are now asterisked-out on the job invocation page. Note that any user with create_invocation permission can still see the entered password by clicking Rerun a looking into source code but that is by design (user with this permission can do potentially more dangerous things).

Comment 8 Bryan Kearney 2020-04-14 19:09:17 UTC

This was fixed in 6.7.

Note You need to log in before you can comment on or make changes to this bug.