[Security] API Should not return Certificate Private Keys

[MajorLeagueDale-1]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

The API returns the Private Keys for manually uploaded Certificates on every get request to /api/nginx/certificates. This can be captured through the dev console or directly by requesting the endpoint directly.

For security, there is no good reason to return the Private Key of stored certificates to anyone as you only need the public data to identify the certificate and its validity.

There is a point to say that it is secured behind authentication, but even then, transmitting this information outside of the Nginx environment is neither desired nor required behaviour.

Nginx Proxy Manager Version

v2.13.5

To Reproduce
Steps to reproduce the behavior:

Requirements
A manually uploaded certificate & key.

1. Open your Browser Developer Console
2. Click on 'Network'
3. Browse to the "Certificates" Tab in NPM
4. Look at the response data for the call to "/api/nginx/certificates" for the key: meta.certificate_key

Expected behavior

The meta JSON key should instead at most contain a summary of the private key information (e.g. key length & cipher) as oppose to sending the full key back in the response.

[7heMech]

Hm, that's interesting and it's not displayed in the UI?

[jc21]

Yeah it's definitely in the api response and it's probably not required.