From 6ba0c24142c17006cc4df78ce7cf5107029ca1e5 Mon Sep 17 00:00:00 2001 From: Kirill Solomko Date: Tue, 30 Jul 2024 18:30:54 +0200 Subject: [PATCH] MT#60601 obfuscate password/webpassword in API valdiation errors * plain text passwords are obfuscated in validation errors returned by API Change-Id: Iff989696ce09faff34692eaa129aee6981340a97 (cherry picked from commit 65ae07a97bc84cf41493759752e0064b6855d89d) --- lib/NGCP/Panel/Role/API.pm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/NGCP/Panel/Role/API.pm b/lib/NGCP/Panel/Role/API.pm index d6bb4af9f3..b6a355d220 100644 --- a/lib/NGCP/Panel/Role/API.pm +++ b/lib/NGCP/Panel/Role/API.pm @@ -260,10 +260,12 @@ sub validate_form { my $e = join '; ', map { my $in = (defined $_->input && ref $_->input eq 'HASH' && exists $_->input->{id}) ? $_->input->{id} : ($_->input // ''); $in //= ''; + my $field_name = ($_->parent->$_isa('HTML::FormHandler::Field') ? $_->parent->name . '_' : '') . $_->name; + my $secure_input = $field_name =~ /^(web)?password$/ ? '*****' : $in; sprintf 'field=\'%s\', input=\'%s\', errors=\'%s\'', - ($_->parent->$_isa('HTML::FormHandler::Field') ? $_->parent->name . '_' : '') . $_->name, - $in, #for now, we dont change the error response text, even if causes sensitive data in the logs. - #(($_->$_can('todo') && $_->todo()) ? $c->qs($in) : $in), + $field_name, $secure_input, + #for now, we dont change the error response text, even if causes sensitive data in the logs. + #(($_->$_can('todo') && $_->todo()) ? $c->qs($in) : $in), join(',', @{ $_->errors }) } $form->error_fields; $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Validation failed. $e");