Few studio activities incompatible with workflow analyzer rule(ST-SEC-009)

Feedback Studio
, ,
1

Hi UiPath team,

As part of our governance implementation at an enterprise level, we have come across few finding which we would like to share with you.

Below studio activities are found to be incompatible with the workflow analyzer rule(even in default state) ST-SEC-009(secure string misusage) as these activities doesn’t accept credentials in a secure way and rule ST-SEC-009 aims to identify such patterns and help block them from entering production thus making it impossible for such scenarios to co-exist with governance enabled on this rule:

Studio Package Studio Activity Issue Assets(credential)
UiPath.WebAPI.Activities = 1.7.0 HTTP activity Headers section under Options in properties panel doesn’t accept API key as secure string API Key
UiPath.WebAPI.Activities = 1.7.0 HTTP activity Request Body under Options in properties panel doesn’t accept Password as secure string Password
UiPath.Database.Activities =1.4.0 Connect Activity Connection string doesn’t accept Password as secure string Password
UiPath.Cryptography.Activities = 1.2.0 Encrypt/Decrypt Activity Key section doesn’t accept Encryption key as secure string Encryption Key

Hope this info helps to identify and resolve more of such patterns in studio activities.

Regards
Sonali

3

Thanks for reporting.

We will address this in next releases of activities.

1 Like
6

Hi @alexandru,

Just following up on this discussion from 2021.

We are able to see that secure way of providing creds/api key has been added in latest database and cryptography packages. Thank you for considering our request on same.

However, we are not able to find any place in http activity yet for providing password in secure string format.

Are you please able to share any update on same?

Regards
Sonali

7

Hi @sonaliaggarwal47

This link could be helpful in general - to marshal the secureString into a managed string (and free the native buffer):

Cheers
Roman