filestash
filestash copied to clipboard
[bug] Insecure TLS Skipping in Email Verification Process
Description of the bug
In the current implementation of the ShareProofVerifier
function within share.go
found at github.com/m/mickael-kerjean/filestash/server/model
, the TLS verification is being bypassed when sending out email verification codes. This practice is explicitly warned against in the gomail package documentation, stating that it is insecure and should not be used in a production environment.
Step by step instructions to reproduce the bug
- Clone the repository from
mickael-kerjean/filestash
. - Navigate to the
server/model/share.go
file. - Locate the
ShareProofVerifier
function. - Observe the TLS configuration for the SMTP dialer. It is configured to skip TLS verification (
InsecureSkipVerify = true
). - Build and run the application to see that emails are sent without verifying the TLS certificate of the SMTP server.
Expected behavior
TLS verification should be enabled to ensure that all email communications are securely transmitted. This involves configuring the SMTP dialer to validate the TLS certificate of the SMTP server, ensuring that the email data remains confidential and protected during transmission.
As noted in the GoMail_documentation, skipping TLS verification is considered insecure and should never be implemented in a production environment. Doing so renders the email transmission vulnerable to man-in-the-middle attacks and exposes sensitive data to potential interception.