Passwords should be excluded from `toString`

[mgrafl]

For the Java Spring generator (and potentially others), the generated toString method includes all properties:

openapi-generator/modules/openapi-generator/src/main/resources/JavaSpring/pojo.mustache

Line 289 in d642141

{{#vars}}sb.append(" {{name}}: ").append(toIndentedString({{name}})).append("\n");

The properties may include sensitive information, such as passwords.
Since the toString method is primarily used for logging purposes, sensitive information should be redacted (see also CWE-532).

The OpenAPI specification already has the modifier property called format, that can be set to password as a hint that a field contains sensitive information (see https://spec.openapis.org/oas/v3.1.0#data-types).

Proposed mitigation:

• The generator(s) should honor this hint in the generated toString method and skip (or redact) fields that are marked as format: password.

Compatibility considerations:

• Since the toString method includes the class name before the opening curly brackets, there is no risk that developers might mistakenly use the toString method for JSON serialization.

Related issues:

• [REQ] Spring: Add option to disable creating toString()-Method #14156 requests an enhancement feature for customizing and/or skipping toString method generation.
  Even though such a more flexible vendor extension could achieve the same goal, the secure default should be to always exclude sensitive information from the toString method.

[dabdirb]

the better solution is not exclude password field from toString() method, replace password as another string, such as "***" or "[MASKED]".
PR #16942

[wing328]

closed via #16942