seciq
commented
8 months ago @jaskiratsingh1792 The support is already there and you can pass secrets through environment variables.
Here is an example of oxalis.conf where the secret is passed through OXALIS_KEYSTORE_PASSWORD environment variable:
...
oxalis.keystore.path = oxalis-test.p12
oxalis.keystore.password = ${?OXALIS_KEYSTORE_PASSWORD}
oxalis.keystore.key.alias = cert
oxalis.keystore.key.password = ${?OXALIS_KEYSTORE_PASSWORD}
..More details
Oxalis is using the com.typesafe.config.ConfigFactory to load the configuration. Here is the official documentation for config overrides.
"oxalis.conf" contains passwords as plain text, which makes the application vulnerable as someone having access to the system can read/modify it. eg. oxalis.keystore { path="xxxx/xxxxxx.jks" password = "xxxxxabc" key.alias = cert key.password = "xxxxxabc" }
As this appears to be a security vulnerability, can we expect an alternate approach/solution for it ?