search

sillsdev / chorus

End-user collaboration library via 3-way xml merging and hg dvcs under the hood
6 stars 26 forks source link

Send/Receive credentials logged in clear text #337

Closed myieye closed 4 months ago

myieye commented 4 months ago

The Send/Receive URL(s) logged here log the entire (encoded) URL in cleartext including the <username>:<password>: https://github.com/sillsdev/chorus/blob/04e1e281629260cdc89e718f418d9c0491859a44/src/LibChorus/VcsDrivers/Mercurial/HgRepository.cs#L1061

e.g.:

Getting project...&#xD;
   Started at 2024-04-12 11:59:27Z&#xD;
   Local User: tim&#xD;
   LanguageForge User: admin&#xD;
   Repository URI: https://admin:!UserPassword!@hg-staging.languageforge.org:443/elawa-dev-flex&#xD;
   Local Directory: C:\Users\tim\AppData\Local\Temp\SR_Tests\CloneBigProject\1-9eff4b07\elawa-dev-flex&#xD;&#xD;
bobeaton commented 4 months ago

A related question I had (based on some recent user errors), if the user’s username (e.g. ‘admin’ here) is an email address (e.g. @.***), is mercurial/Chorus able to have a repository URI w/ two different @s in it?

It seems to be causing a problem, though that may be due to us using a someone ancient version of Chorus… (LibChorus 5.0.0 and Mercurial 3.0.1)

If that isn’t functional, then we might want to restrict ‘signup’ on the website/portal to only first_last type logins… (rather than email addrs), lest the user think that they can use that in the Chorus dialog. It appears to me that if you signup/register on the website with an email address, you don’t get a first_last kind of ‘login’ to use in the Chorus dialog settings.

Bob

From: Tim Haasdyk @.> Sent: Monday, April 15, 2024 3:11 AM To: sillsdev/chorus @.> Cc: Subscribed @.***> Subject: [sillsdev/chorus] Send/Receive credentials logged in clear text (Issue #337)

CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.

The Send/Receive URL(s) logged here log the entire (encoded) URL in cleartext including the :: https://github.com/sillsdev/chorus/blob/04e1e281629260cdc89e718f418d9c0491859a44/src/LibChorus/VcsDrivers/Mercurial/HgRepository.cs#L1061

e.g.:

Getting project...

Started at 2024-04-12 11:59:27Z

Local User: tim

LanguageForge User: admin

Repository URI: @.***:443/elawa-dev-flex

Local Directory: C:\Users\tim\AppData\Local\Temp\SR_Tests\CloneBigProject\1-9eff4b07\elawa-dev-flex

— Reply to this email directly, view it on GitHubhttps://github.com/sillsdev/chorus/issues/337, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABDUY5O4JJ5VSUHLLJNTLJDY5ODSHAVCNFSM6AAAAABGG25JMGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI2DGMBQGI4TEMY. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>

This message and its contents are intended only for the person or entity to which it is addressed. It may contain confidential and/or protected material. Any review, transmission, dissemination or other use of this information by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

rmunn commented 4 months ago

There's a ServerSettingsModel.RemovePasswordForLog static method, which is used when logging errors in, for instance, the HgRepository.PullFromTarget method. I wonder why it wasn't used in RepositoryURIForLog? Should be a quick fix.