New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jira Commit Hint plugin credentials stored in plain text #4447
Comments
I think it is not bad solution, but there is a issue with current settings architecture and Credential manager. I am really needed this fix for our company and I can dot it, but I am not sure about my vision of the fix. I have the questions:
|
I would deprecate the old insecure storage mechanism and replace it with a secure store. It may be a little inconvenient for a user to re-enter username/password, but it is a small price to pay for security. It is a good idea to lock username/password persistence to the local config only to prevent accidental sharing of secrets. |
I did this proof of concept some times ago to store passwords in the credential manager. I don't know if it could help you: https://github.com/pmiossec/gitextensions/tree/passwords_in_credential_manager |
Philippe, thanks. My prototype is the same :-). I will try to find free time to end the fix. |
If you planned to fix it, you surely should create the pull request now. |
* Credentials for JIRA plugin are saved to Windows credential manager. * Global and local (local = distributed in this case) setting levels are supported. It is need for users, who works with several JIRA instances and different accounts. Distributed level is not supported because credential manager is not a file storage. Fixes gitextensions#4447 Co-authored-by: Ivan Sterkhov <stivx0@users.noreply.github.com>
* Credentials for JIRA plugin are saved to Windows credential manager. * Global and local (local = distributed in this case) setting levels are supported. It is need for users, who works with several JIRA instances and different accounts. Distributed level is not supported because credential manager is not a file storage. Fixes gitextensions#4447 Co-authored-by: Ivan Sterkhov <stivx0@users.noreply.github.com>
* Credentials for JIRA plugin are saved to Windows credential manager. * Global and local (local = distributed in this case) setting levels are supported. It is need for users, who works with several JIRA instances and different accounts. Distributed level is not supported because credential manager is not a file storage. Fixes gitextensions#4447 Co-authored-by: Ivan Sterkhov <stivx0@users.noreply.github.com>
Do you want to request a feature or report a bug?
bug
What is the current behavior?
Credentials are stored in plain text
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
Choose to persist the settings into "Distributed with current repository" settings source (it doesn't matter which layer it is stored, this layer makes it easier to see)
Open the GitExtensions.settings file:
What is the expected behavior?
Password isn't stored at all.
The issue may not be a big deal for home users who rarely change passwords and do not share their computers with anyone. However in a corporate environments storing passwords in plain text, especially in settings, which may be committed into a public repository, is a massive security issue.
The username must not be persisted into a configuration file either. Credentials must be persisted into Windows Vault (credential store).
Few links to start with:
Environment you encounter the issue:
2.51 / master
/cc: @ierof @pmiossec
The text was updated successfully, but these errors were encountered: