Fix Credential Data Leak (FlowiseAI#6042)

christopherholland-workday · christopherholland-workday · yau-wd · web-flow · commit 97b96f60d3f7 · 2026-03-24T23:00:19.000+08:00
Co-authored-by: christopherholland-workday &lt;christopher.holland+evisort@workday.com&gt;
Co-authored-by: yau-wd &lt;yau.ong@workday.com&gt;
diff --git a/packages/agentflow/src/infrastructure/api/credentials.test.ts b/packages/agentflow/src/infrastructure/api/credentials.test.ts
@@ -33,5 +33,15 @@ describe('bindCredentialsApi', () => {
             expect(mockClient.get).toHaveBeenCalledWith('/credentials', { params: { credentialName: 'openAIApi' } })
             expect(result).toEqual(mockCredentials)
         })
+
+        it('should not expose encryptedData in the response', async () => {
+            const mockCredentials = [{ id: '1', name: 'My OpenAI Key', credentialName: 'openAIApi' }]
+            ;(mockClient.get as jest.Mock).mockResolvedValue({ data: mockCredentials })
+
+            const result = await api.getCredentialsByName('openAIApi')
+            for (const credential of result) {
+                expect(credential).not.toHaveProperty('encryptedData')
+            }
+        })
     })
 })
diff --git a/packages/server/src/services/credentials/index.ts b/packages/server/src/services/credentials/index.ts
@@ -60,15 +60,15 @@ const getAllCredentials = async (paramCredentialName: any, workspaceId: string)
                         ...getWorkspaceSearchOptions(workspaceId)
                     }
                     const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)
-                    dbResponse.push(...credentials)
+                    dbResponse.push(...credentials.map((c) => omit(c, ['encryptedData'])))
                 }
             } else {
                 const searchOptions = {
                     credentialName: paramCredentialName,
                     ...getWorkspaceSearchOptions(workspaceId)
                 }
                 const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)
-                dbResponse = [...credentials]
+                dbResponse = credentials.map((c) => omit(c, ['encryptedData']))
             }
             // get shared credentials
             if (workspaceId) {

Original file line number	Diff line number	Diff line change
`@@ -60,15 +60,15 @@ const getAllCredentials = async (paramCredentialName: any, workspaceId: string)`
`60`	`60`	`...getWorkspaceSearchOptions(workspaceId)`
`61`	`61`	`}`
`62`	`62`	`const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)`
`63`		`- dbResponse.push(...credentials)`
	`63`	`+ dbResponse.push(...credentials.map((c) => omit(c, ['encryptedData'])))`
`64`	`64`	`}`
`65`	`65`	`} else {`
`66`	`66`	`const searchOptions = {`
`67`	`67`	`credentialName: paramCredentialName,`
`68`	`68`	`...getWorkspaceSearchOptions(workspaceId)`
`69`	`69`	`}`
`70`	`70`	`const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)`
`71`		`- dbResponse = [...credentials]`
	`71`	`+ dbResponse = credentials.map((c) => omit(c, ['encryptedData']))`
`72`	`72`	`}`
`73`	`73`	`// get shared credentials`
`74`	`74`	`if (workspaceId) {`