search

tomohulk / WinSCP

WinSCP PowerShell Wrapper Module
GNU General Public License v3.0
151 stars 29 forks source link

PW stored as string in SessionOptions #129

Closed USGrantN closed 3 years ago

USGrantN commented 4 years ago

Issue Description

If session options is saved to a variable for quick access, the password parameter is visible as a string if it is inspected, despite the PW being passed as a secure string and part of a credential object.

Example

$user = "username" $PW = Get-Content [path to encrypted text file] | ConvertTo-SecureString $credential = New-Object System.Management.Automation.PsCredential($user, $PW) $SFTP = "SFTP site" $sessionOptions = New-WinSCPSessionOption -HostName $SFTP -Credential $credential -SshHostKeyFingerprint "fingerprint"

$sessionOptions

Expected Output

Name : username@sftpsite Protocol : Sftp HostName :SFTP site PortNumber : 0 UserName : username Password : System.Security.SecureString SecurePassword : System.Security.SecureString NewPassword : SecureNewPassword : Timeout : 00:00:15 TimeoutInMilliseconds : 15000 PrivateKeyPassphrase : SecurePrivateKeyPassphrase : RootPath : SshHostKeyFingerprint : fingerprint GiveUpSecurityAndAcceptAnySshHostKey : False SshPrivateKeyPath : SshPrivateKeyPassphrase : FtpMode : Passive FtpSecure : None WebdavSecure : False WebdavRoot : TlsHostCertificateFingerprint : GiveUpSecurityAndAcceptAnyTlsHostCertificate : False TlsClientCertificatePath :

Actual Output

Name : username@sftpsite Protocol : Sftp HostName :SFTP site PortNumber : 0 UserName : username Password : [password in plain text] SecurePassword : System.Security.SecureString NewPassword : SecureNewPassword : Timeout : 00:00:15 TimeoutInMilliseconds : 15000 PrivateKeyPassphrase : SecurePrivateKeyPassphrase : RootPath : SshHostKeyFingerprint : fingerprint GiveUpSecurityAndAcceptAnySshHostKey : False SshPrivateKeyPath : SshPrivateKeyPassphrase : FtpMode : Passive FtpSecure : None WebdavSecure : False WebdavRoot : TlsHostCertificateFingerprint : GiveUpSecurityAndAcceptAnyTlsHostCertificate : False TlsClientCertificatePath :

WinSCP-PowerShell Version

5.17.5.3

Environment

OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763

Name : Visual Studio Code Host Version : 2020.6.0 InstanceId : 66b1cd65-851a-4ce6-a4b8-33c8926c5bf9 UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-US CurrentUICulture : en-US PrivateData : Microsoft.PowerShell.EditorServices.Services.PowerShellContext.EditorServicesPSHost+ConsoleColorProxy DebuggerEnabled : True IsRunspacePushed : False Runspace : System.Management.Automation.Runspaces.LocalRunspace

tomohulk commented 3 years ago

I can't really control any of this, as the objects come from the WinSCP dll. @martinprikryl did you know this is happening? Just tested it with the latest version of the assembly 15.7.7:

image
martinprikryl commented 3 years ago

The Password property is a plain string. If you set the SecurePassword, reading Password will get you plain password back. It's the same as reading $credential.GetNetworkCredential().Password.