fix: password leakage vulnerability caused by pagination (#527)

* fix: password leakage vulnerability caused by pagination Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: unsafe get-app-login response fields Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
2025-07-03 12:30:19 +08:00 · 2022-03-02 20:58:16 +08:00
parent 2a0dcd746f
commit 83a6b757a4
3 changed files with 16 additions and 1 deletions
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -118,6 +118,7 @@ func (c *ApiController) GetApplicationLogin() {
 	state := c.Input().Get("state")

 	msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state)
+	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
 	} else {
--- a/controllers/user.go
+++ b/controllers/user.go
@ -44,6 +44,7 @@ func (c *ApiController) GetGlobalUsers() {
 		limit := util.ParseInt(limit)
 		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalUserCount(field, value)))
 		users := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder)
+		users = object.GetMaskedUsers(users)
 		c.ResponseOk(users, paginator.Nums())
 	}
 }
@ -70,6 +71,7 @@ func (c *ApiController) GetUsers() {
 		limit := util.ParseInt(limit)
 		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetUserCount(owner, field, value)))
 		users := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		users = object.GetMaskedUsers(users)
 		c.ResponseOk(users, paginator.Nums())
 	}
 }