search

darold / ora2pg

Ora2Pg is a free tool used to migrate an Oracle database to a PostgreSQL compatible schema. It connects your Oracle database, scan it automatically and extracts its structure or data, it then generates SQL scripts that you can load into PostgreSQL.
http://www.ora2pg.com/
GNU General Public License v3.0
993 stars 342 forks source link

User credentials are stored as clear text in ora2pg.conf file and CLI parameters #923

Open billramo opened 4 years ago

billramo commented 4 years ago

Hi Gilles,
As a user of Ora2Pg, I'm unable to use Ora2Pg for potential clients because there is no way to use secure strings with credentials. Most of our migrations for Oracle to PostgreSQL are to AWS, so I can use AWS SCT. AWS SCT provides a secure vault for credentials that they store in migration projects that you can use for guidance in fixing this huge security issue.

If this was reported in the https://nvd.nist.gov/vuln-metrics/cvss# site, this would be a Critical issue.

We have customers wanting to migrate Oracle to Azure Database for PostgreSQL and GCP Cloud SQL for PostgreSQL and we can't SCT for these projects due to licensing restrictions. As a former Microsoft employee on the SQL Server team, I'm stunned that Microsoft hasn't asked for this given the latest offering - Migrate Oracle to Azure Database for PostgreSQL.

Windows includes a Credential locker for storing credentials. You can also use cloud versions like AWS Vault. Azure has Key Vault too.

Please make this a priority.
Thanks,
Bill

darold commented 4 years ago

I don't use it myself for the moment but the day I will have the problem I will work on it for sure.

darold commented 4 years ago

There is a PR #755 that allow interactive password use, does this can be a temporary solution for you?

gp4git commented 3 years ago

Hello,

the correct PR is #775

Regards