Shadow the password on cache and session config on admin panel #7300

lunny · 2019-06-26T03:51:43Z

will fix #7147

codecov-io · 2019-06-26T04:24:15Z

Codecov Report

Merging #7300 into master will increase coverage by 0.03%.
The diff coverage is 78.26%.

@@            Coverage Diff             @@
##           master    #7300      +/-   ##
==========================================
+ Coverage    41.2%   41.23%   +0.03%     
==========================================
  Files         464      464              
  Lines       62788    62832      +44     
==========================================
+ Hits        25873    25911      +38     
- Misses      33524    33529       +5     
- Partials     3391     3392       +1

Impacted Files	Coverage Δ
routers/admin/admin.go	`16.66% <78.26%> (+16.66%)`	⬆️
modules/log/event.go	`65.64% <0%> (+1.02%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42729b7...f0f43ca. Read the comment docs.

mrsdizzie · 2019-06-26T05:13:09Z

routers/admin/admin.go

@@ -202,6 +202,17 @@ func SendTestMail(ctx *context.Context) {
 	ctx.Redirect(setting.AppSubURL + "/admin/config")
 }

+func shadowPassword(cfgItem string) string {
+	fields := strings.Split(cfgItem, ",")


I think there need to be more than one check, since the config strings can be different for MySQL and redis. This seems to fix for redis, but not MySQL. In the example from #7147, the session provider connection string is:

someclient:somepassword@tcp(srv-mysql:3306)/someclient

This format uses DSN, so the password is optional: https://github.com/go-sql-driver/mysql

Maybe it you can also pass in the adapter/provider to shadowPassword and then know if it is Redis/MySQL and check based on that.

OK. Will fix that.

lunny · 2019-06-26T07:21:23Z

@mrsdizzie done with test.

…tea#7300) * shadow the password on cache and session config on admin panel * add shadow password of mysql/postgres/couchbase * fix log import

Although go-gitea#7300 properly shadows the password from the virtual session provider, the template displaying the provider config still presumed that the config was JSON. This PR updates the template and properly hides the Virtual Session provider. Fixes go-gitea#7127

@silverwind

* Properly fix #7127 Although #7300 properly shadows the password from the virtual session provider, the template displaying the provider config still presumed that the config was JSON. This PR updates the template and properly hides the Virtual Session provider. Fixes #7127 * update per @silverwind's suggestion

@silverwind

…itea#9137) * Properly fix go-gitea#7127 Although go-gitea#7300 properly shadows the password from the virtual session provider, the template displaying the provider config still presumed that the config was JSON. This PR updates the template and properly hides the Virtual Session provider. Fixes go-gitea#7127 * update per @silverwind's suggestion

@silverwind

… (#9203) * Properly fix #7147 Although #7300 properly shadows the password from the virtual session provider, the template displaying the provider config still presumed that the config was JSON. This PR updates the template and properly hides the Virtual Session provider. Fixes #7147 * update per @silverwind's suggestion

shadow the password on cache and session config on admin panel

54ffde4

lunny added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jun 26, 2019

lunny added this to the 1.9.0 milestone Jun 26, 2019

sapk approved these changes Jun 26, 2019

View reviewed changes

GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jun 26, 2019

mrsdizzie suggested changes Jun 26, 2019

View reviewed changes

add shadow password of mysql/postgres/couchbase

f3636a7

fix log import

55de1bc

mrsdizzie approved these changes Jun 26, 2019

View reviewed changes

GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 26, 2019

Merge branch 'master' into lunny/fix_config_security

f0f43ca

lunny merged commit 161e12e into go-gitea:master Jun 26, 2019

lunny deleted the lunny/fix_config_security branch June 26, 2019 16:12

zeripath mentioned this pull request Nov 23, 2019

Properly fix displaying virtual session provider in admin panel #9137

Merged

6543 mentioned this pull request Nov 29, 2019

[Backport] Properly fix displaying virtual session provider in admin panel (#9137) #9203

Merged

go-gitea locked and limited conversation to collaborators Nov 24, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Shadow the password on cache and session config on admin panel #7300

Shadow the password on cache and session config on admin panel #7300

lunny commented Jun 26, 2019

codecov-io commented Jun 26, 2019 •

edited

Loading

mrsdizzie Jun 26, 2019

lunny Jun 26, 2019

lunny commented Jun 26, 2019

Shadow the password on cache and session config on admin panel #7300

Shadow the password on cache and session config on admin panel #7300

Conversation

lunny commented Jun 26, 2019

codecov-io commented Jun 26, 2019 • edited Loading

Codecov Report

mrsdizzie Jun 26, 2019

Choose a reason for hiding this comment

lunny Jun 26, 2019

Choose a reason for hiding this comment

lunny commented Jun 26, 2019

codecov-io commented Jun 26, 2019 •

edited

Loading