sonar-auth-aad icon indicating copy to clipboard operation
sonar-auth-aad copied to clipboard

Published 20 hours ago verified publisher icon hkamel

Client Secrets disclosed in web API

Open cpandya2909 opened this issue 6 years ago • 2 comments

  • Sonarqube Version: 7.4
  • Plugin: sonar-auth-aad-plugin-1.1-RC2.jar

When calling "/api/settings/values" API "sonar.auth.aad.clientId.secured" , "sonar.auth.aad.clientSecret.secured" and "sonar.auth.aad.tenantId" are disclosed in clear text without any authentication required.

As this information is secret, it should not be disclosed without any authentication.

cpandya2909 avatar Dec 05 '18 09:12 cpandya2909

Hi, This is a know issue/feature : https://jira.sonarsource.com/browse/SONAR-11512. You need to remove 'Anyone' permission from 'Execute Analysis' in Global Permissions. Regards

julienlancelot avatar Dec 05 '18 09:12 julienlancelot

Basically, what julienlancelot wrote. We can't hide these values because SonarQube doesn't support that yet. Anyone with the "Execute Analysis" permission can access all the system variables. If and when MMF-590 is implemented, we'll use that to protect our settings. I'll leave this open for now if there are any suggestions on how to better secure the values with what we have right now.

srvrguy avatar Dec 05 '18 17:12 srvrguy

As of SonarQube version 9.1, this was fixed by having SQ just not return the raw values of secured settings. You can find some info at SONAR-15338

srvrguy avatar Nov 11 '22 22:11 srvrguy