filestash icon indicating copy to clipboard operation
filestash copied to clipboard

[bug] Insecure TLS Skipping in Email Verification Process

Open nyxfqq opened this issue 7 months ago • 0 comments

Description of the bug

In the current implementation of the ShareProofVerifier function within share.go found at github.com/m/mickael-kerjean/filestash/server/model, the TLS verification is being bypassed when sending out email verification codes. This practice is explicitly warned against in the gomail package documentation, stating that it is insecure and should not be used in a production environment.

Step by step instructions to reproduce the bug

  1. Clone the repository from mickael-kerjean/filestash.
  2. Navigate to the server/model/share.go file.
  3. Locate the ShareProofVerifier function.
  4. Observe the TLS configuration for the SMTP dialer. It is configured to skip TLS verification (InsecureSkipVerify = true).
  5. Build and run the application to see that emails are sent without verifying the TLS certificate of the SMTP server.

Expected behavior

TLS verification should be enabled to ensure that all email communications are securely transmitted. This involves configuring the SMTP dialer to validate the TLS certificate of the SMTP server, ensuring that the email data remains confidential and protected during transmission.

As noted in the GoMail_documentation, skipping TLS verification is considered insecure and should never be implemented in a production environment. Doing so renders the email transmission vulnerable to man-in-the-middle attacks and exposes sensitive data to potential interception.

nyxfqq avatar Jul 08 '24 07:07 nyxfqq