Question

Hello, there is a security issue with the FME Server Job Submitter and/or the Password-type user parameter. If the job submitter returns an error, the password is decrypted and shown in the log. This should not happen. [FME 2018.1]

  • 5 July 2022
  • 1 reply
  • 3 views

I have created an encoded password user parameter and used it with the job submitter, but if the job submitter returns an error, the password is decrypted and shown in the log, as seen in the screenshots below.

 

decrypted password in logPassword User Parameter


1 reply

Badge

Hi @jvanravenswaaij​! I wasn't able to reproduce the "Unable to process parameter 'string' with type" error messages. However, I did notice in 2018.1 that double-clicking a password parameter value in an FMEServerJobSubmitter will reveal the exact same encrypted password value that's in your screenshot. Thankfully it's not logged as plain text. These bugs seem to be related, and they have been resolved in FME 2019.0 unless your tests show otherwise in a newer version?

Reply