api: avoid sending sensitive data in api response

- UI: use post when updating user - S3: don't send s3 key in the response - VPN: don't send preshared key in remoteaccessvpn api response - Snapshot response should set zone id not volume's device id Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2025-12-16 10:32:34 +01:00 · 2015-03-11 16:30:20 +05:30 · 2015-03-11 16:30:20 +05:30 · 02cadc3fb3
commit 02cadc3fb3
parent 7d2ffe063d
4 changed files with 6 additions and 12 deletions
--- a/api/src/org/apache/cloudstack/api/response/RemoteAccessVpnResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/RemoteAccessVpnResponse.java
@ -41,10 +41,6 @@ public class RemoteAccessVpnResponse extends BaseResponse implements ControlledE
    @Param(description = "the range of ips to allocate to the clients")
    private String ipRange;
    @SerializedName("presharedkey")
    @Param(description = "the ipsec preshared key")
    private String presharedKey;
    @SerializedName(ApiConstants.ACCOUNT)
    @Param(description = "the account of the remote access vpn")
    private String accountName;
@ -85,10 +81,6 @@ public class RemoteAccessVpnResponse extends BaseResponse implements ControlledE
        this.ipRange = ipRange;
    }
    public void setPresharedKey(String presharedKey) {
        this.presharedKey = presharedKey;
    }
    @Override
    public void setAccountName(String accountName) {
        this.accountName = accountName;
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@ -452,7 +452,7 @@ public class ApiResponseHelper implements ResponseGenerator {
            snapshotResponse.setVolumeId(volume.getUuid());
            snapshotResponse.setVolumeName(volume.getName());
            snapshotResponse.setVolumeType(volume.getVolumeType().name());
-            DataCenter zone = ApiDBUtils.findZoneById(volume.getDeviceId());
+            DataCenter zone = ApiDBUtils.findZoneById(volume.getDataCenterId());
            if (zone != null) {
                snapshotResponse.setZoneId(zone.getUuid());
            }
@ -1300,7 +1300,6 @@ public class ApiResponseHelper implements ResponseGenerator {
            vpnResponse.setPublicIp(ip.getAddress().addr());
        }
        vpnResponse.setIpRange(vpn.getIpRange());
        vpnResponse.setPresharedKey(vpn.getIpsecPresharedKey());
        populateOwner(vpnResponse, vpn);
        vpnResponse.setState(vpn.getState().toString());
        vpnResponse.setId(vpn.getUuid());
--- a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
@ -84,7 +84,8 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long
        if ( detailName != null && detailName.length() > 0 && !detailName.equals(ApiConstants.PASSWORD)) {
            String detailValue = ids.getDetailValue();
            if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
-                detailValue = DBEncryptionUtil.decrypt(detailValue);
+                // ALWAYS return an empty value for the S3 secret key since that key is managed by Amazon and not CloudStack
                detailValue = "";
            }
            ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
            osResponse.addDetail(osdResponse);
@ -99,7 +100,8 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long
        if ( detailName != null && detailName.length() > 0 && !detailName.equals(ApiConstants.PASSWORD)) {
            String detailValue = ids.getDetailValue();
            if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
-                detailValue = DBEncryptionUtil.decrypt(detailValue);
+                // ALWAYS return an empty value for the S3 secret key since that key is managed by Amazon and not CloudStack
                detailValue = "";
            }
            ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
            response.addDetail(osdResponse);
--- a/ui/scripts/installWizard.js
+++ b/ui/scripts/installWizard.js
@ -37,6 +37,7 @@
                    id: cloudStack.context.users[0].userid,
                    password: md5Hashed ? $.md5(args.data.password) : args.data.password
                },
                type: 'POST',
                dataType: 'json',
                async: true,
                success: function(data) {