search

halo-dev / halo

强大易用的开源建站工具。
https://www.halo.run
GNU General Public License v3.0
32.78k stars 9.5k forks source link

Suggestions towards the hardcoded password #5843

Open Gax-c opened 3 months ago

Gax-c commented 3 months ago

System information

no

What is the project operation method?

Source Code

What happened?

Why you need it?

We've identified that the password is hardcoded in the source code here.

            var keyStorePath = keysRoot.resolve("halo.keystore");
            var password = "changeit".toCharArray();
            var keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

You can see the hardcoded key "changeit".

How could it be?

We understand that halo is a tool for building websites, but as long as the template allows for hardcoded password, this will also exist in downstream projects. That is, the developers who use halo for website building may still hardcode their passwords in the source code although these passwords may be change to something else rather than "changeit".

Suggestion

So, I suggest that the password should be stored in a more secure way, and I'm sure this will make halo better!

Relevant log output

No response

Additional information

No response

ruibaby commented 2 months ago

ping @halo-dev/sig-halo

JohnNiang commented 2 months ago

Thank you for reaching out here!

I'm going to add configuration properties to allow users to change the default password, but default value will be still changeit. If someone want to change the password, they can use the default password changeit to change the password for the keystore file, and then configure the new password into application.yaml, command line argument or environment variable.

/kind improvement /area core