njnu-seafish opened a new issue, #18403:
URL: https://github.com/apache/dolphinscheduler/issues/18403

   ### Search before asking
   
   - [x] I had searched in the 
[issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and 
found no similar feature requirement.
   
   
   ### Description
   
   ### Security issue
   
   UsersServiceImpl#checkUserParams currently returns the original invalid 
parameter value when user parameter validation fails.
   
   When password validation fails, the method returns the raw password value. 
The caller then passes this value to Status.REQUEST_PARAMS_NOT_VALID_ERROR , 
which may include the submitted password in the API error response.
   
   Even if the password does not meet the validation rules, it should still be 
treated as sensitive information because it may be the user’s intended password 
or a reused credential.
   
   
   ### Expected behavior
   
   When password validation fails, the API should not echo the submitted 
password. It should return the field name or a generic validation error instead.
   
   For example:
   ```
   request parameter password is not valid
   ```
   
   instead of:
   ```
   request parameter <raw password> is not valid
   ```
   
   ### Suggested improvement
   
   Update checkUserParams so that password validation failure returns a safe 
field identifier such as password , instead of the raw password value.
   
   ### Are you willing to submit a PR?
   
   - [x] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
[email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to