Data Sources | passwords in clear-text

[teixemf]

NetBox version

v3.6.3

Python version

3.11

Steps to Reproduce

1. Add a new Data Source
2. Select Type: Git || Amazon S3
3. Input the Password if Type Git || input the AWS secret access key if Type Amazon S3
4. Save
5. Edit the newly added Git || Amazon S3 Data Source
6. Save
7. Go to the Data Sources main page showing the all Data Sources table
8. Configure the table to show the column Parameters

Expected Behavior

3. While typing the password/AWS secret access key the characters should be masked
4. After saving, one can see the password/AWS secret access key in clear-text on the Backend card
5. The password/AWS secret access key should be masked
6. The password/AWS secret access key should be masked while shown on the Parameters column

Observed Behavior

3. While typing the password/AWS secret access key the characters appear in clear-text

4. After saving, one can see the password/AWS secret access key in clear-text on the Backend card

5. The password/AWS secret access key should be masked

8. The password/AWS secret access key should be masked while shown on the Parameters column

[abhi1693]

I don't think this is a bug. This is somewhat related to #13304, I suspect you are someone with edit access if you are able to view the sensitive parameters as plain text. Moreover, as per #12625 the functionality was requested only for detail object view.

There are other issues I see with this report

1. You mentioned that the field should display a masked value while typing in the dit form, but that's a standard char field. I don't believe we currently have a password field in the core so not a bug but can be implemented.
2. Your expected behaviour is to mask the results irrespective of the permission you own, which is essentially a request to change the current behaviour implemented in Datasource passwords are displayed in plaintext #12625. So, this is a workflow change rather than a bug also.
3. You have also asked to mask the values in the table and shown as a bug but this was never implemented as a feature and doesn't even mention this in the documentation.
   I would reclassify this as a feature request instead as this was never released as a core feature.

[teixemf]

I don't argue if it can be considered feature request.
I only reported it as a bug based on the behavior of the User form.

In the User form there is also a Password field and that one appears to deal with the password sensitivity correctly.
While adding a password It masks the chars while typing, and it has a field for password input confirmation.
When editing, the password doesn't show up on the screen and it is not rendered in the HTML code.

Bullet 1. appears to be implemented already on the User form:
https://github.com/netbox-community/netbox/blob/4286c1cde255a9bf146b3b192e1ac17566af0094/netbox/users/forms/model_forms.py#L166C1-L177C6

Bullet 2. appears also to be implemented on the User form. No user can see my password. Not even my user. The User can only change it.

Bullet 3. relates to #13729

[jeremystretch]

I agree with @abhi1693 that none of the behavior mentioned here deviates from expected operation. While I appreciate the need to treat certain data as sensitive, there is a competing need to make it available to enable certain operations and troubleshooting.

@teixemf if you would like to propose a mechanism for omitting potentially sensitive data from the changelog, please submit a feature request detailing both your proposed implementation as well as consideration of the constraints it would impose. Further, if you would like to propose changes to any of the form fields, please submit a separate FR for those.