github-starred/komodo
2
0
Fork 1
mirror of https://github.com/moghtech/komodo.git synced 2026-03-09 07:13:36 -05:00
Code Issues 258 Packages Projects Releases 10 Wiki Activity

[Feature] Obscure variable length if secret is toggled #143

New Issue
Closed
opened 2025-10-31 15:03:14 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-10-31 15:03:14 -05:00
Owner
Copy Link

Originally created by @seraphblade2010 on GitHub (Nov 30, 2024).

Currently one can see the exact length that a variable has even if the secret toggle is toggled.
I think komodo should at least obscure the actual length of the variable if it is treated as a secret.

Originally created by @seraphblade2010 on GitHub (Nov 30, 2024). Currently one can see the exact length that a variable has even if the secret toggle is toggled. I think komodo should at least obscure the actual length of the variable if it is treated as a secret.
GiteaMirror commented 2025-10-31 15:03:14 -05:00
Author
Owner
Copy Link

@mbecker20 commented on GitHub (Nov 30, 2024):

The UI managed Variables are retrievable via API for all Admin level users due to their need to manage these: https://komo.do/docs/variables#defining-variables-and-secrets. If you login as a non-admin user, you will see for variables marked as secret, the values are completely unavailable for view, including their length. Since you are logged in as admin user, your UI will load the UI managed variables from the api, including plain values. Other than this permission based block, there is no additional security protections around the UI managed Variables, with an admin level API key you can query them in plain text.

If you don't want ANY access to a Variable from the UI / don't want it served from the API, you can move these to the core.config.toml secrets: https://github.com/mbecker20/komodo/blob/main/config/core.config.toml#L449.

To reiterate, when variables are defined using secrets section of the core.config.toml, the API will NOT expose the value under any circumstances.

@mbecker20 commented on GitHub (Nov 30, 2024): The UI managed Variables are retrievable via API for all Admin level users due to their need to manage these: https://komo.do/docs/variables#defining-variables-and-secrets. If you login as a **non-admin user**, you will see for variables marked as secret, **the values are completely unavailable for view, including their length**. Since you are logged in as admin user, your UI will load the UI managed variables from the api, including plain values. Other than this permission based block, there is no additional security protections around the UI managed Variables, with an admin level API key you can query them in plain text. If you don't want ANY access to a Variable from the UI / don't want it served from the API, you can move these to the `core.config.toml` `secrets`: https://github.com/mbecker20/komodo/blob/main/config/core.config.toml#L449. To reiterate, when variables are defined using `secrets` section of the `core.config.toml`, the API will NOT expose the value under any circumstances.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
bug
documentation
done
enhancement
help wanted
info
pull-request
Mirrored from GitHub Pull Request
 question
security
seen 👀
setup
thinking 🤔
ui
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/komodo#143
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?