Fixed a security issue where the OAuth2 client ID and secret exposed …

…through the web browser (CVE-2024-9014). #7945
pgadmin-org · Sep 20, 2024 · a0aa185 · a0aa185
1 parent 1f53bae
commit a0aa185
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/docs/en_US/release_notes_8_12.rst b/docs/en_US/release_notes_8_12.rst
@@ -2,7 +2,7 @@
 Version 8.12
 ************
 
-Release date: 2024-09-19
+Release date: 2024-09-23
 
 This release contains a number of bug fixes and new features since the release of pgAdmin 4 v8.11.
 
@@ -39,4 +39,5 @@ Bug fixes
   | `Issue #7839 <https://github.com/pgadmin-org/pgadmin4/issues/7839>`_ -  Added support for OIDC based OAuth2 authentication.
   | `Issue #7878 <https://github.com/pgadmin-org/pgadmin4/issues/7878>`_ -  Fixed an issue where cursor moves to end of line when editing input fields.
   | `Issue #7890 <https://github.com/pgadmin-org/pgadmin4/issues/7890>`_ -  Fixed an issue where "Quit App" confirmation modal in desktop app is not respecting "Confirm on close or refresh?".
-  | `Issue #7895 <https://github.com/pgadmin-org/pgadmin4/issues/7895>`_ -  Fixed an issue where different client backend shows all SQL are same.
+  | `Issue #7895 <https://github.com/pgadmin-org/pgadmin4/issues/7895>`_ -  Fixed an issue where different client backend shows all SQL are same.
+  | `Issue #7945 <https://github.com/pgadmin-org/pgadmin4/issues/7945>`_ -  Fixed a security issue where the OAuth2 client ID and secret exposed through the web browser (CVE-2024-9014).
diff --git a/web/pgadmin/templates/security/login_user.html b/web/pgadmin/templates/security/login_user.html
@@ -4,6 +4,15 @@
 {% for key, lang in config.LANGUAGES.items() %}
 {% set _ = ns.langOptions.append({'value': key, 'label': lang}) %}
 {% endfor %}
+{% set oauth2_config = [] %}
+{% for i in config.OAUTH2_CONFIG %}
+  {% set _tmp = oauth2_config.append({'OAUTH2_NAME': config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_NAME'],
+    'OAUTH2_BUTTON_COLOR':  config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_BUTTON_COLOR'],
+    'OAUTH2_DISPLAY_NAME':  config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_DISPLAY_NAME'],
+    'OAUTH2_ICON':  config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_ICON']
+  }) %}
+{% endfor %}
+
 {% set page_props = {
     'userLanguage': user_language,
     'langOptions': ns.langOptions,
@@ -15,7 +24,7 @@
         'OAUTH2': config.OAUTH2,
         'KERBEROS': config.KERBEROS,
     },
-    'oauth2Config': config.OAUTH2_CONFIG,
+    'oauth2Config': oauth2_config,
     'loginBanner': config.LOGIN_BANNER|safe
 } %}
 {% extends "security/render_page.html" %}