njnu-seafish opened a new issue, #18403: URL: https://github.com/apache/dolphinscheduler/issues/18403
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar feature requirement. ### Description ### Security issue UsersServiceImpl#checkUserParams currently returns the original invalid parameter value when user parameter validation fails. When password validation fails, the method returns the raw password value. The caller then passes this value to Status.REQUEST_PARAMS_NOT_VALID_ERROR , which may include the submitted password in the API error response. Even if the password does not meet the validation rules, it should still be treated as sensitive information because it may be the user’s intended password or a reused credential. ### Expected behavior When password validation fails, the API should not echo the submitted password. It should return the field name or a generic validation error instead. For example: ``` request parameter password is not valid ``` instead of: ``` request parameter <raw password> is not valid ``` ### Suggested improvement Update checkUserParams so that password validation failure returns a safe field identifier such as password , instead of the raw password value. ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
