From 66f0f752934c914aa618c5df395ea82206a718b9 Mon Sep 17 00:00:00 2001
From: Valina Li <valina.li@intel.com>
Date: Mon, 11 Jul 2022 12:17:35 -0700
Subject: [PATCH] fix: Remove MessageBus Options data from configuration after
 client created

fixes #1160; CVE-2022-31066

Signed-off-by: Valina Li <valina.li@intel.com>
---
 internal/core/data/messaging/messaging.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/internal/core/data/messaging/messaging.go b/internal/core/data/messaging/messaging.go
index fc3c8df7bd..5212cf67dc 100644
--- a/internal/core/data/messaging/messaging.go
+++ b/internal/core/data/messaging/messaging.go
@@ -101,6 +101,9 @@ func BootstrapHandler(ctx context.Context, wg *sync.WaitGroup, startupTimer star
 				messageBusInfo.PublishTopicPrefix,
 				messageBusInfo.AuthMode))
 
+			// Make sure the MessageBus password is not leaked into the Service Config that can be retrieved via the /config endpoint
+			delete(messageBusInfo.Optional, bootstrapMessaging.OptionsPasswordKey)
+
 			return true
 		}
 	}