Fix the potential vulnerability of password showcase of external prov…

…iders

CVE-2024-7259

Issue: Password was visible for external providers after changing input type from password to text in browser developer tools (Inspect tools).

Fix: Added the logic for sending the ******* as password text to UI and updating the password only if user makes any change in password.

Signed-off-by: Saksham Srivastava <saksham.sa.srivastava@oracle.com>

frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/EditProviderModel.java

@@ -47,7 +47,7 @@ public EditProviderModel(SearchableListModel sourceListModel, Provider provider)
         getUrl().setEntity(provider.getUrl());
         getRequiresAuthentication().setEntity(provider.isRequiringAuthentication());
         getUsername().setEntity(provider.getUsername());
-        getPassword().setEntity(provider.getPassword());
+        getPassword().setEntity("********");  //$NON-NLS-1$
         if (provider.isRequiringAuthentication() && provider.getType().isAuthUrlAware()) {
             Uri uri = new Uri(provider.getAuthUrl());
             if (uri.isValid()) {

frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/providers/ProviderModel.java

@@ -648,7 +648,9 @@ private void flush() {
         provider.setRequiringAuthentication(authenticationRequired);
         if (authenticationRequired) {
             provider.setUsername(getUsername().getEntity());
+            if(!getPassword().getEntity().equals("********")) { //$NON-NLS-1$
             provider.setPassword(getPassword().getEntity());
+            }
             if (getTenantName().getIsAvailable()) {
                 OpenStackProviderProperties properties = getOpenStackProviderProperties();
                 properties.setTenantName(getTenantName().getEntity());