Closed USGrantN closed 3 years ago
I can't really control any of this, as the objects come from the WinSCP dll. @martinprikryl did you know this is happening? Just tested it with the latest version of the assembly 15.7.7:
The Password
property is a plain string. If you set the SecurePassword
, reading Password
will get you plain password back. It's the same as reading $credential.GetNetworkCredential().Password
.
Issue Description
If session options is saved to a variable for quick access, the password parameter is visible as a string if it is inspected, despite the PW being passed as a secure string and part of a credential object.
Example
$user = "username" $PW = Get-Content [path to encrypted text file] | ConvertTo-SecureString $credential = New-Object System.Management.Automation.PsCredential($user, $PW) $SFTP = "SFTP site" $sessionOptions = New-WinSCPSessionOption -HostName $SFTP -Credential $credential -SshHostKeyFingerprint "fingerprint"
$sessionOptions
Expected Output
Name : username@sftpsite Protocol : Sftp HostName :SFTP site PortNumber : 0 UserName : username Password : System.Security.SecureString SecurePassword : System.Security.SecureString NewPassword : SecureNewPassword : Timeout : 00:00:15 TimeoutInMilliseconds : 15000 PrivateKeyPassphrase : SecurePrivateKeyPassphrase : RootPath : SshHostKeyFingerprint : fingerprint GiveUpSecurityAndAcceptAnySshHostKey : False SshPrivateKeyPath : SshPrivateKeyPassphrase : FtpMode : Passive FtpSecure : None WebdavSecure : False WebdavRoot : TlsHostCertificateFingerprint : GiveUpSecurityAndAcceptAnyTlsHostCertificate : False TlsClientCertificatePath :
Actual Output
Name : username@sftpsite Protocol : Sftp HostName :SFTP site PortNumber : 0 UserName : username Password : [password in plain text] SecurePassword : System.Security.SecureString NewPassword : SecureNewPassword : Timeout : 00:00:15 TimeoutInMilliseconds : 15000 PrivateKeyPassphrase : SecurePrivateKeyPassphrase : RootPath : SshHostKeyFingerprint : fingerprint GiveUpSecurityAndAcceptAnySshHostKey : False SshPrivateKeyPath : SshPrivateKeyPassphrase : FtpMode : Passive FtpSecure : None WebdavSecure : False WebdavRoot : TlsHostCertificateFingerprint : GiveUpSecurityAndAcceptAnyTlsHostCertificate : False TlsClientCertificatePath :
WinSCP-PowerShell Version
5.17.5.3
Environment
OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763
Name : Visual Studio Code Host Version : 2020.6.0 InstanceId : 66b1cd65-851a-4ce6-a4b8-33c8926c5bf9 UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-US CurrentUICulture : en-US PrivateData : Microsoft.PowerShell.EditorServices.Services.PowerShellContext.EditorServicesPSHost+ConsoleColorProxy DebuggerEnabled : True IsRunspacePushed : False Runspace : System.Management.Automation.Runspaces.LocalRunspace