Password field is in plan text

tcplugins / tcWebHooks

WebHooks plugin for Teamcity. Supports many build states and payload formats.

https://netwolfuk.wordpress.com/category/teamcity/tcplugins/tcwebhooks/

155 stars 30 forks source link

Password field is in plan text #227

Closed alwaysharsha closed 3 months ago

alwaysharsha commented 11 months ago

Expected Behavior

Password field shouldn't be exposed in plain text

Current Behavior

Currently, the password field is in plain text

Steps to Reproduce (for bugs)

Refer screen above when providing the credentials in basic it is capturing the credentials in plain text

Your Environment

tcWebHooks Version: 1.2.2
TeamCity Version: 2023.5.3
TeamCity server Operating System: Windows Server 2016
Are you using a WebHook Template?: Yes

Example Configuration (xml)

netwolfuk commented 11 months ago

Hi @alwaysharsha

The best option is to use a WebHook Parameter set as "password". TeamCity will store it outside your build settings in an encrypted file.

Then reference the WebHook Parameter in the password field of your webhook authentication settings.

See this page for more information: https://github.com/tcplugins/tcWebHooks/wiki/Hiding-Sensitive-Values-In-WebHook-Configuration

Here is an example I have on my test server...

And then referenced in a webhook

netwolfuk commented 11 months ago

BTW, the webhook configuration is stored on the teamcity server un-encrypted (I can't change how that works). So any implied security by using a hidden field in the webhook edit dialog would be mis-leading. That is why is it a plain text box, so that it's obvious that it won't be stored securely.

Referencing a secure WebHook Parameter is the better option.

netwolfuk commented 3 months ago

I'm going to close this out. Using a secure WebHook Parameter is the way to resolve this.