MT#60601 obfuscate password/webpassword in API valdiation errors

* plain text passwords are obfuscated in validation errors returned by API Change-Id: Iff989696ce09faff34692eaa129aee6981340a97 (cherry picked from commit 65ae07a97b)
9 months ago · 6ba0c24142
parent 354791c369
commit 6ba0c24142
1 changed files with 5 additions and 3 deletions
--- a/lib/NGCP/Panel/Role/API.pm
+++ b/lib/NGCP/Panel/Role/API.pm
@ -260,10 +260,12 @@ sub validate_form {
            my $e = join '; ', map {
                my $in = (defined $_->input && ref $_->input eq 'HASH' && exists $_->input->{id}) ? $_->input->{id} : ($_->input // '');
                $in //= '';
+                my $field_name = ($_->parent->$_isa('HTML::FormHandler::Field') ? $_->parent->name . '_' : '') . $_->name;
+                my $secure_input = $field_name =~ /^(web)?password$/ ? '*****' : $in;
                sprintf 'field=\'%s\', input=\'%s\', errors=\'%s\'',
-                    ($_->parent->$_isa('HTML::FormHandler::Field') ? $_->parent->name . '_' : '') . $_->name,
-                    $in, #for now, we dont change the error response text, even if causes sensitive data in the logs.
-                         #(($_->$_can('todo') && $_->todo()) ? $c->qs($in) : $in),
+                    $field_name, $secure_input,
+                    #for now, we dont change the error response text, even if causes sensitive data in the logs.
+                    #(($_->$_can('todo') && $_->todo()) ? $c->qs($in) : $in),
                    join(',', @{ $_->errors })
            } $form->error_fields;
            $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Validation failed. $e");