Passwords for Database user and LDAP bind user are stored in plain text #15460
Comments
|
It sounds like you have identified the issue and the solution. Perhaps you could provide a PR? |
While I would like to help as much as I can, however I never wrote a line of code in GO, so until I'm comfortable doing it I should pass this opportunity to someone with more experience. The logic should be pretty simple: you encrypt it as soon as you read it and decrypt it only when you need to use it. |
|
I cannot know what do you mean. Which table and which column? |
Table: login_source, When login source is LDAP via BindDN bind password value within JSON string is plain text. Also, database user password in app.ini database section PASSWD value is plain text as well. |
lunny
added
the
topic/security
The LDAP source bind password are currently stored in plaintext in the db This PR simply encrypts them with the setting.SECRET_KEY. Fix go-gitea#15460 Signed-off-by: Andrew Thornton <art27@cantab.net>
|
That the configuration file contains necessary passwords for configuring the service is essentially unfixable - at some point these have to be unencrypted and the secrets have to become available some way. I have however, put a PR up that encrypts the ldap bind password within the db. |
I would have to respectfully disagree with your statement. Any password should be encrypted the moment it was read during initial setup and held in the encrypted state in any long term storage (memory, text file, etc.). decryption should occur at the place of the immediate use, such as when connection to DB is happening. It just feels like a common sense.
That is a step in the right direction. Thank you. |
* Encrypt LDAP bind password in db with SECRET_KEY The LDAP source bind password are currently stored in plaintext in the db This PR simply encrypts them with the setting.SECRET_KEY. Fix #15460 Signed-off-by: Andrew Thornton <art27@cantab.net> * remove ui warning regarding unencrypted password Co-authored-by: silverwind <me@silverwind.io>
* Encrypt LDAP bind password in db with SECRET_KEY The LDAP source bind password are currently stored in plaintext in the db This PR simply encrypts them with the setting.SECRET_KEY. Fix go-gitea#15460 Signed-off-by: Andrew Thornton <art27@cantab.net> * remove ui warning regarding unencrypted password Co-authored-by: silverwind <me@silverwind.io>
[x]):Bad security practice of storing passwords in plain text
Description
While application does provide a warning that it stores password in plain text, I think we all agree that this is a big security issue independently from how many privileges user has.
There is an existing module modules/secret/secret.go that allows for two way encryption. Why is it not used to encrypt password values stored in app.ini and in the database in case of LDAP auth.
...
Screenshots
The text was updated successfully, but these errors were encountered: