search

fsprojects / Paket

A dependency manager for .NET with support for NuGet packages and Git repositories.
https://fsprojects.github.io/Paket/
MIT License
2.02k stars 520 forks source link

Authentication configurations expose passwords #1984

Open haraldsteinlechner opened 7 years ago

haraldsteinlechner commented 7 years ago

Description

Exceptions and their stdout might print passwords in plaintext

Repro steps

I have no repro steps, the print occured on one of our managers computer and leaked his password to me.

Expected behavior

do not print plaintext password in exception texts

Known workarounds

I suspect the complete plaintext authentication sheme is not really secure. Still, having plaintext passwords printed to screen renders paket really untrustworthy ;)

I'd suggest simply to put StructuredFormatDisplay to authenication configs.

haraldsteinlechner commented 7 years ago

i think this might be the right location https://github.com/fsprojects/Paket/pull/1985

cdrnet commented 7 years ago

We seem to run into this from time to time, see also #1224, #1357. Maybe it's time to consider switching to SecureString to prevent this from happening in the first place?

haraldsteinlechner commented 7 years ago

+1

cdrnet commented 7 years ago

(kind of fitting that this issue has id 1984...)