Hide sensitive data from audit dashboard after updating a stream

[Hassen-BENNOUR]

Description:
When i update a stream, local platform, sensitives data are not hidden from stream properties on the audit dashboard and displayed.
Only on update audit type.

Release versions:
Version: 2.9.3

Steps to reproduce:
Any update Stream from REST API or UI causes the passwords from stream properties are not hidden in the audit dashboard.

Screenshots:

Additional context:
convertPropertiesToSkipperYaml must hide sensitive data

[markpollack]

thanks for pointing this out, we will address this shortly in the next point release

[markpollack]

See current usage of ArgumentSanitizer.java

[Hassen-BENNOUR]

Hi guys,
Today I've seen another service who's exposing credentials or secrets.
From the dashboard on the stream deployment page, when a stream is deployed the dashboard retrieve stream history and manifests... informations are not hidden from services responses and displayed as is.
Get Deployment History i think, I'll check, https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#api-guide-resources-stream-deployment-history
So i think that is more secure to create a http filter or a HandlerInterceptor to intercept all responses and sanitize them apart from the audit ?

[corneil]

@Hassen-BENNOUR is this the logging of the dataflow or skipper apps?

[Hassen-BENNOUR]

@corneil
Logging of Dataflow, retrieved from skipper i think.
I've dont checked yet skipper services.

[markpollack]

fixed in #4955

[Hassen-BENNOUR]

@markpollack @corneil
The issue is not resolved in Core: 2.10.3 (Spring Cloud Data Flow Core) as you can see in screenshots below

The update stream operation still show secrets on the UI ans services

[onobc]

Hi @Hassen-BENNOUR , thanks for the heads up. We re-opened this issue for visibility and then will now track this under #5452.