filestash icon indicating copy to clipboard operation
filestash copied to clipboard

Published 20 hours ago • verified publisher icon mickael-kerjean

[bug] Passwords in config.json are plain text

Open YouveGotMeowxy opened this issue 2 years ago • 1 comments

Description of the bug

  1. Enter any password into the UI (i.e. Email password, or MySQL password)
  2. Open up config.json and there they are in plain text

Can you replicate that error from the demo?

Haven't tried; probably don't have access to it's config.json

Observed behavior

Passes are in plain text. (Bad security practice)

Expected behavior

Passes not in plain text. (They should be encrypted in the file and decoded as needed.)

YouveGotMeowxy avatar Jun 05 '22 03:06 YouveGotMeowxy

I'm not sure what you mean, password in Filestash are stored using bcrypt. Also config.json is just one example of config storage, this can be change via the plugin mechanism (see here) to store config in any medium you want with any kind of encryption you want. config.json is just the default storage mechanism

mickael-kerjean avatar Jun 29 '22 13:06 mickael-kerjean

I'm closing as I don't see any action on my side. Feel free to comment if you think we should reopen

mickael-kerjean avatar Sep 15 '22 22:09 mickael-kerjean

I'm seeing this as well.

It's pretty easy to see in a quick test; just add a sFTP, fill it out, including the password,. then look at the config.json. Right in that new sftp connection's "password": key it shows the unencrypted password as it's value.

I could make a video of it if needed.

STaRDoGG avatar Oct 18 '22 07:10 STaRDoGG

I made 9a98da79782db460647b82132bd94ce6a0db6c1b after seeing the various reaction. From now on, if you set the CONFIG_SECRET env variable to something, the config.json will be encrypted (using aes gcm) without needing an extra plugin

mickael-kerjean avatar Nov 09 '22 13:11 mickael-kerjean

@mickael-kerjean Thanks, it's a step in the right direction, but doesn't encrypting the entire file make it more difficult to manually tweak all of the other non-sensitive settings in the file? Would it be just as easy to just encrypt/decrypt the passwords alone on the fly as needed?

YouveGotMeowxy avatar Nov 09 '22 23:11 YouveGotMeowxy

Yes that would make for a very nice PR. Although if someone want to tackle this we'd need to keep the same function definition as what is in here so as not to break the existing config plugins

mickael-kerjean avatar Nov 10 '22 11:11 mickael-kerjean

Yes that would make for a very nice PR.

lol, ok, give me 5 mins. to learn Go from scratch, and then the entire flow of the program, and I'll submit a PR to encrypt a string. :)

YouveGotMeowxy avatar Nov 10 '22 19:11 YouveGotMeowxy