search

usebruno / bruno

Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia)
https://www.usebruno.com/
MIT License
26.2k stars 1.2k forks source link

PFX passphrase stored in collection bru in the clear #2685

Open mattisking opened 3 months ago

mattisking commented 3 months ago

I have checked the following:

Describe the bug

The recent landing of pfx support for certs is great, thanks for that. However, the passPhrase is currently stored in the clear in the collection bru file, meaning it’s also going to go into Git (for most people).

Why not make this use the same secrets logic you have for secret variables.

.bru file to reproduce the bug

Not really necessary. You can see this if you simply add a PFX cert with its passphrase.

Screenshots/Live demo link

Not needed.

pietrygamat commented 3 months ago

Interestingly, the pfx passphrase is being interpolated, which means bru file like this works, assuming the password is stored in environment variable pfx_pass - which may be marked as a secret.

"clientCertificates": {
    "enabled": true,
    "certs": [
      {
        "domain": "*",
        "type": "pfx",
        "pfxFilePath": "certs/client.example.com.p12",
        "passphrase": "{{pfx_pass}}"
      }
    ]
  }
mattisking commented 3 months ago

Ah great. That’ll work for me. Thanks.