search

dahall / TaskScheduler

Provides a .NET wrapper for the Windows Task Scheduler. It aggregates the multiple versions, provides an editor and allows for localization.
MIT License
1.2k stars 191 forks source link

TaskService stores a connection password in clear text #967

Closed chrisdent-de closed 1 year ago

chrisdent-de commented 1 year ago

Description

When a username and password are used to create an instance of TaskService, the password used is stored in clear text in a public property of the TaskService object.

Problem

The TaskService object is attached as a property to all Task, Folder, and RunningTask objects which means that even a relatively shallow serialization of any of these objects will splash the password used everywhere.

Solution

Password should not be so trivially exposed on TaskService, even if the initial connection was made using the password in clear text (as required by the API).

Any of the following to reduce exposure would be sufficient:

I acknowledged that SecureString is not particularly secure and that in reality this is buying a degree of obscurity. I only seek to avoid such blatant repeated exposure of the connection password.

Would you welcome a pull request implementing any of the above?

Thanks!

dahall commented 1 year ago

If you have a means of doing a PR that doesn't break existing implementations, then I would be appreciative. This lib is used in many commercial and enterprise applications and I am very hesitant to introduce breaking changes.