From 6a7ab2a4c1a381972797b3c4cfd700cdb0c298d7 Mon Sep 17 00:00:00 2001 From: Stephane MEYER Date: Thu, 26 Sep 2024 10:14:45 +0200 Subject: [PATCH] fix(xo-server/api): private data in api call --- CHANGELOG.unreleased.md | 2 ++ packages/xo-server/src/xo-mixins/api.mjs | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md index 498050711e2..426889d5aa0 100644 --- a/CHANGELOG.unreleased.md +++ b/CHANGELOG.unreleased.md @@ -25,6 +25,8 @@ > Users must be able to say: “I had this issue, happy to know it's fixed” +- [Logs] Fix private data in API call: password now obfuscated (PR [#8019](https://github.com/vatesfr/xen-orchestra/pull/8019)) + ### Packages to release > When modifying a package, add it here with its release type. diff --git a/packages/xo-server/src/xo-mixins/api.mjs b/packages/xo-server/src/xo-mixins/api.mjs index 901c68d6400..d510d802130 100644 --- a/packages/xo-server/src/xo-mixins/api.mjs +++ b/packages/xo-server/src/xo-mixins/api.mjs @@ -386,10 +386,11 @@ export default class Api { const resolvedParams = await resolveParams.call(app, method, params) + // data.params contains obfuscated params let result = await (name in NO_LOG_METHODS ? method.call(app, resolvedParams) : app.tasks - .create({ name: 'API call: ' + name, method: name, params, type: 'api.call' }, { clearLogOnSuccess: true }) + .create({ name: 'API call: ' + name, method: name, params: data.params, type: 'api.call' }, { clearLogOnSuccess: true }) .run(() => method.call(app, resolvedParams))) // If nothing was returned, consider this operation a success