Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): Redact csrfSecret when returning oauth credentials to the frontend #10075

Merged
merged 1 commit into from
Jul 16, 2024
Merged

fix(core): Redact csrfSecret when returning oauth credentials to the frontend #10075

merged 1 commit into from
Jul 16, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Jul 16, 2024

Summary

We store the temporary CSRF state in the DB during an auth flow. During this time, if the frontend requests that particular credential, we are returning the decrypted csrfSecret in the response when includeData is set to true.
Ideally we should only be returning the credentials fields that are actually editable in the UI, and removing the rest. But, that is a much bigger change, and I'd like to patch this potential security concern right away.

Review / Merge checklist

  • PR title and summary are descriptive
  • Tests included

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Jul 16, 2024
@cypress Cypress
Copy link

cypress bot commented Jul 16, 2024

5 flaky tests on run #5953 ↗︎

0 400 0 0 Flakiness 5

Details:

🌳 🖥️ browsers:node18.12.0-chrome107 🤖 netroy 🗃️ e2e/*
Project: n8n Commit: eca615ea80
Status: Passed Duration: 05:43 💡
Started: Jul 16, 2024 4:00 PM Ended: Jul 16, 2024 4:06 PM
Flakiness  5-ndv.cy.ts • 2 flaky tests

View Output Video

Test Artifacts
NDV > should not retrieve remote options when required params throw errors Screenshots Video
NDV > Stop listening for trigger event from NDV Screenshots Video
Flakiness  10-undo-redo.cy.ts • 1 flaky test

View Output Video

Test Artifacts
Undo/Redo > should undo/redo adding connected nodes Test Replay Screenshots Video
Flakiness  20-workflow-executions.cy.ts • 1 flaky test

View Output Video

Test Artifacts
Current Workflow Executions > should auto load more items if there is space and auto scroll Test Replay Screenshots Video
Flakiness  24-ndv-paired-item.cy.ts • 1 flaky test

View Output Video

Test Artifacts
NDV > resolves expression with default item when input node is not parent, while still pairing items Test Replay Screenshots Video

Review all test suite changes for PR #10075 ↗︎

@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy merged commit 48f047e into master Jul 16, 2024
27 checks passed
@netroy netroy deleted the stop-leaking-csrfSecret branch July 16, 2024 16:09
@github-actions github-actions bot mentioned this pull request Jul 17, 2024
Merged
@janober
Copy link
Member

janober commented Jul 17, 2024

Got released with [email protected]

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@despairblue despairblue despairblue approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @despairblue