From 0af4bfa443e8d9ca55c9ccc898de9b09ac8f4638 Mon Sep 17 00:00:00 2001
From: Saksham Srivastava <saksham.sa.srivastava@oracle.com>
Date: Thu, 17 Oct 2024 18:45:42 +0530
Subject: [PATCH] Fix the potential vulnerability of password showcase of
 external providers

CVE-2024-7259

Issue: Password was visible for external providers after changing input type from password to text in browser developer tools (Inspect tools).

Fix: Added the logic for sending the ******* as password text to UI and updating the password only if user makes any change in password.

Signed-off-by: Saksham Srivastava <saksham.sa.srivastava@oracle.com>
---
 .../ui/uicommonweb/models/providers/EditProviderModel.java      | 2 +-
 .../engine/ui/uicommonweb/models/providers/ProviderModel.java   | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/EditProviderModel.java b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/EditProviderModel.java
index e956fd36487..0e079d73b80 100644
--- a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/EditProviderModel.java
+++ b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/EditProviderModel.java
@@ -47,7 +47,7 @@ public EditProviderModel(SearchableListModel sourceListModel, Provider provider)
         getUrl().setEntity(provider.getUrl());
         getRequiresAuthentication().setEntity(provider.isRequiringAuthentication());
         getUsername().setEntity(provider.getUsername());
-        getPassword().setEntity(provider.getPassword());
+        getPassword().setEntity("********");  //$NON-NLS-1$
         if (provider.isRequiringAuthentication() && provider.getType().isAuthUrlAware()) {
             Uri uri = new Uri(provider.getAuthUrl());
             if (uri.isValid()) {
diff --git a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/ProviderModel.java b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/ProviderModel.java
index 206c5a907ee..75fc2060dfa 100644
--- a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/ProviderModel.java
+++ b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/ProviderModel.java
@@ -648,7 +648,9 @@ private void flush() {
         provider.setRequiringAuthentication(authenticationRequired);
         if (authenticationRequired) {
             provider.setUsername(getUsername().getEntity());
+            if(!getPassword().getEntity().equals("********")) { //$NON-NLS-1$
             provider.setPassword(getPassword().getEntity());
+            }
             if (getTenantName().getIsAvailable()) {
                 OpenStackProviderProperties properties = getOpenStackProviderProperties();
                 properties.setTenantName(getTenantName().getEntity());