Open geetparekh opened 3 months ago
To add some additional detail to the bug @geetparekh documented, when the standaloneUsername
and standalonePassword
environment variables are set in any of the following manners:
config.json
fileRegardless of how these attributes are set, the config.json
file is publicly exposed via Nginx, including the values of the standaloneUsername
and standalonePassword
in plain text.
There are several possible paths to mitigation:
config.json
file and instead let this be server-side only. In any case, help articles describing deployment technique (in the meantime) need to be incredibly explicit on the security risk of Neodash dashboards when deployed either in public or internal hosting environments. I'd be happy to submit a PR to the documentation site that describes this nuance, if desired.
This page describes the following:
standaloneUsername: A hidden config parameter enables you to set the username for standalone mode by default. Keep in mind this is a security risk, as it exposes the Neo4j username to anyone who can access the NeoDash deployment
standalonePassword: A hidden config parameter enables you to set the password for standalone mode by default. If this value is set connections are also made automatically. Keep in mind this is a security risk, as it exposes the Neo4j username to anyone who can access the NeoDash deployment.
Now, there are two ways to pass these variables: 1) through dist/config.json and 2) through environment variables (available within the container where we run the Neodash server) when using Docker image
For the first one, it is understandable that there is a security risk because the credentials are there in the dist/config.json and anyone having access to the deployment server, will be able to see it. However, for the second one, if the credentials are available through environment variables within the container, even then are the credentials exposed to someone who has access to NeoDash deployment? Does Neodash still write the credentials to a file exposing the credentials? In our case, we would be passing in environment variables to the container through Kubernetes secrets in our namespace/cluster for which we have measures to ensure security.
Expectation: