Exposing Git Credentials over Info Enpoint

Question

Exposing Git Credentials over Info Enpoint

juliensadaoui opened this issue 2 years ago · 1 comments

Overview of the issue

The JHipster registry will expose configured git credentials (username/password or private key) in the info enpoint if we use the COMPOSIT_TYPE git because the CloudConfigInfoContributor exposes git credentials over the Info endpoint.

The application configuration dashboard displays the full view of the configuration source using the Info endpoint.

Motivation for or Use Case

We use a not secured endpoint to get this sensitive config. We need to fix it.

Reproduce the error

Start the Keycloak container: docker-compose -f src/main/docker/keycloak.yml up
Set the environments variables: SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_0_USERNAME and SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_0_PASSWORD
Start the JHipster Registry with the prod profile : SPRING_PROFILES_ACTIVE=prod,oauth2 ./mvnw

Git credentials are not protected from unauthorized access over the Info endpoint.

Related issues

Nothing

Suggest a Fix

I suggests to create a new secured endpoint to get the configuration source of Spring Cloud Config and to remove this contributor.

JHipster Registry Version(s)

From v6.1.2 to v7.3.0

Browsers and Operating System

Windows, Linux, Mac OS X

Checking this box is mandatory (this is just to show you read everything)

Answer 1 · 2022-09-11T13:54:37.000Z

Adding a bounty on this important issue