fix: don't put hashed password in share api response

Signed-off-by: Robin Appelman <robin@icewind.nl>

apps/files_sharing/lib/Controller/ShareAPIController.php

@@ -273,10 +273,10 @@ class ShareAPIController extends OCSController {
 
 			// "share_with" and "share_with_displayname" for passwords of link
 			// shares was deprecated in Nextcloud 15, use "password" instead.
-			$result['share_with'] = $share->getPassword();
+			$result['share_with'] = $this->formatPasswordField($share->getPassword());
 			$result['share_with_displayname'] = '(' . $this->l->t('Shared link') . ')';
 
-			$result['password'] = $share->getPassword();
+			$result['password'] = $this->formatPasswordField($share->getPassword());
 
 			$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
 
@@ -292,7 +292,7 @@ class ShareAPIController extends OCSController {
 			$result['token'] = $token;
 		} elseif ($share->getShareType() === IShare::TYPE_EMAIL) {
 			$result['share_with'] = $share->getSharedWith();
-			$result['password'] = $share->getPassword();
+			$result['password'] = $this->formatPasswordField($share->getPassword());
 			$result['password_expiration_time'] = $share->getPasswordExpirationTime() !== null ? $share->getPasswordExpirationTime()->format(\DateTime::ATOM) : null;
 			$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
 			$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'EMAIL');
@@ -351,6 +351,10 @@ class ShareAPIController extends OCSController {
 		return $result;
 	}
 
+	private function formatPasswordField(?string $password): ?string {
+		return ($password === null) ? null : 'redacted';
+	}
+
 	/**
 	 * Check if one of the users address books knows the exact property, if
 	 * not we return the full name.