Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[External] [Bug] CWE-798 Security Vulnerability - Plain Text Password #202

Open
1 task done
thomasphung opened this issue Oct 1, 2024 · 0 comments
Open
1 task done

[External] [Bug] CWE-798 Security Vulnerability - Plain Text Password #202

thomasphung opened this issue Oct 1, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@thomasphung
Copy link

thomasphung commented Oct 1, 2024
edited
Loading

What is the Bug Related To? Please Provide a Description. 

Having password stored in plaintext is not a good idea, especially if it is in a file tracked by Git.

default_config.yaml can expose a user's password if this file is absent from .gitignore and cloned repo is uploaded to a public Git repository. If downstream users (or even TOSTADAS devs) misconfigure the .gitignore and are sharing their cloned/forked version of TOSTADAS with other team members for development, then password can be accidentally leaked.

For generic details of this type of vulnerability see https://cwe.mitre.org/data/definitions/798.html (Example 4 shows plaintext password in config file)

Place an ❌ in a Box that Best Matches the Bug's Importance:

  • [] 1 - Most severe (a full-break in core function)
  • [] 2-4 - Moderate (break for a particular aspect/feature) (how integral is the broken feature?)
  • 5 - Least severe (non-functional issue, such as inconsistency / error in documentation or administrative in nature) 

Not severe in affecting functionality but is a big security issue that should be addressed, especially if this is used in production workloads.

Please Complete the Following Information:

  • OS: [e.g. iOS]: N/A
  • Browser [e.g. chrome, safari]: N/A
  • Version [e.g. 22]: N/A
  • Run environment (container, cloud service, HPC, platform, etc.): N/A

Please Outline Necessary Steps to Replicate Bug (Go to.. Click on... Install the following... etc.): N/A

Any Additional Context or Information? Has There Been Any Progress Made So Far Towards this Request? Any Concrete Instructions to Resolve the Bug or Helpful Resources to Reference? Screenshots or Logs?

Possible solutions:

  • Move user credentials outside of repo's config file to an environmental variable (in a .env file). Update code to read from said location.
  • Set up a remote secrets manager if code is being used in production workloads like Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault.
  • Encryption of password is possible, but adds another step for users, needing to generate private keys local to their machine.

In Case for Additional Follow-Up, Please Provide your Email: [email protected]
@thomasphung thomasphung added the bug Something isn't working label Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thomasphung