Skip to content

fix(admin): strip SSL private keys array in GET single and list responses#13227

Open
AlinsRan wants to merge 1 commit intoapache:masterfrom
AlinsRan:fix/admin-ssl-keys-strip-and-limit-count-credentials
Open

fix(admin): strip SSL private keys array in GET single and list responses#13227
AlinsRan wants to merge 1 commit intoapache:masterfrom
AlinsRan:fix/admin-ssl-keys-strip-and-limit-count-credentials

Conversation

@AlinsRan
Copy link
Copy Markdown
Contributor

@AlinsRan AlinsRan commented Apr 15, 2026
edited
Loading

Summary

Two security fixes for the Admin API SSL resource handler.

Fix 1: Admin API SSL GET single response exposes keys array

GET /apisix/admin/ssls/{id} cleared the key field (single-cert private key) but left the keys array (multi-cert private keys) intact, so callers retrieving a multi-cert SSL object received all additional private keys in plain text.

Root cause: The sanitization block only set value.key = nil and did not touch value.keys.

Fix: Set value.keys = nil alongside value.key = nil in the single-resource GET path.

Fix 2: Admin API SSL list response does not sanitize private keys at all

GET /apisix/admin/ssls (range / list query) returned every item's key and keys fields without any sanitization.

Root cause: The sanitization logic only ran on res.body.node.value (single-item path); the list path (res.body.list) was never covered.

Fix: After the single-item sanitization block, add a loop over res.body.list that strips both key and keys from every item's value.

Changes

  • apisix/admin/resource.lua: strip keys = nil in single GET; add list sanitization loop for both key and keys
  • t/admin/ssl.t: TEST 24 verifies keys is absent in single GET; TEST 25 verifies both fields absent in list GET; TEST 26 cleans up

Tests

  • TEST 24: PUT a multi-cert SSL object, GET it by ID, assert neither key nor keys appears in the response body.
  • TEST 25: GET the SSL list, iterate every item, assert neither key nor keys is present.
  • TEST 26: DELETE the SSL object created in TEST 24.

@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Apr 15, 2026
fix(admin): strip SSL private keys array in GET single and list respo…
9c1b71e 
…nses

Admin API GET /apisix/admin/ssls/{id} cleared the `key` field (single-cert
private key) but left the `keys` array (multi-cert private keys) intact.
The list response (GET /apisix/admin/ssls) did not sanitize either `key` or
`keys` at all.

- Strip `keys = nil` alongside `key = nil` in single-resource GET
- Add list response sanitization loop stripping both `key` and `keys` from
  every item
@AlinsRan AlinsRan force-pushed the fix/admin-ssl-keys-strip-and-limit-count-credentials branch from d22e2f3 to 9c1b71e Compare April 16, 2026 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nic-6443 nic-6443 nic-6443 approved these changes

@Baoyuantop Baoyuantop Baoyuantop approved these changes

@membphis membphis Awaiting requested review from membphis

@moonming moonming Awaiting requested review from moonming

@shreemaan-abhishek shreemaan-abhishek Awaiting requested review from shreemaan-abhishek

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlinsRan @nic-6443 @Baoyuantop