password in toString in generated model · swagger-api/swagger-codegen#2662

(11 comments) (6 reactions) (0 assignees)HTML (12,701 stars) (5,474 forks)batch import

Enhancement: Generalhelp wanted

Description

When using format "password", e.g.

  credentials:
    type: object
    properties:
      username:
        type: string
      password:
        type: string
        format: password
    required:
    - username
    - password

the field "password" is contained in the toString method of the generated model class.

In my opinion, that's a security issue (you don't want client passwords appearing in log files etc.)

Would it make sense to change the corresponding line in toString to:

sb.append(" password: ").append("<protected>").append("\n");

whenever the format "password" is used?

Contributor guide

Tech stack: javahtml
Domain: securityapi
Issue type: security
Difficulty: 2
Estimated time: under 1 hour
Activity status: stale
Clarity: clear
Prerequisites: Basic JavaSwagger/OpenAPI
Newbie friendliness: 80
Research direction: The fix involves modifying the Mustache template that generates the toString method in model classes. Look in the `modules/swagger codegen/src/main/resources/` directory for the template handling string properties. The issue suggests adding a conditional check for `format: password` and outputting `<protected>` instead of the actual value. Consider if other sensitive formats (e.g., `format: hidden`) should be handled similarly. Check existing PRs or comments for prior work or alternative approaches.