Docs: third-party credentials security warning #214
Conversation
The app generated file, `.forestry/settings.yml` exposes AWS credentials, and likely other 3rd party credentials. This is a security vulnerability that needs a fix. One proposed solution is to instruct the user of Forestry.io to add the .forestry/settings.yml to their repo's `.gitignore` file. I suspect that Forestry.io holds a table of credentials somewhere, and then writes those credentials to the repo. I think a better solution than instructing a user to update their .gitignore is to update the Forestry.io software to not commit keys/secrets to github. https://www.datree.io/resources/secrets-management-aws#:~:text=2%20%E2%80%93%20NEVER%20commit%20secrets%20into%20your%20Git%20repositories,-When%20there%20are&text=Even%20worse%2C%20when%20the%20code,stolen%2C%20you%20will%20be%20compromised. Please note that this vulnerability, if not addressed, can be a show stopper from using your platform but if it WERE addressed, makes you an extremely competitive offering because other markdown editing clients don't allow users to easily connect to S3.
|
Hey Avery, what makes you think that we would store credentials in our settings YAML file? |
Are you sure?
I can understand that you may not think I know what I'm talking about. So here is the Github receipt to help you sort out the problem. I was alerted not only by AWS but also Github. I have the emails and now that I take a further look at it, I would share the email but unfortunately it links to the settings yaml file with the exposed credentials. Would you like to have a zoom call with me so I can show you the security vulnerability? |
|
I politely suggest that you re-open this pr because if you don't alert your users or try to fix this there could be dire consequences for any users using AWS credentials (and possibly others). Remember, this is open source and I'm just here to help. I didn't have to say anything but I'm a software engineer and have concern about points of vulnerabilities. Let's be nice to each other. All we have is trust. |
|
We don't support encrypted keys, but Forestry needs his config file to work, that's why we can't accept this change. It's what we do on our very own website. I'll amend the docs to add a warning about not storing any sensitive information in the preview environment variables. |
|
Warning added on the generic preview page: 556a230#diff-b8ef8088473d733da2cf5a2bb2eaca5bR69-R74 |
DirtyF
changed the title
The app generated file,
.forestry/settings.yml, exposes AWS credentials, and likely other 3rd party credentials. This is a security vulnerability that needs a fix.One proposed solution is to instruct the user of Forestry.io to add the .forestry/settings.yml to their repo's
.gitignorefile.I suspect that Forestry.io holds a table of credentials somewhere, and then writes those credentials to the repo. I think a better solution than instructing a user to update their .gitignore is to update the Forestry.io software to not commit keys/secrets to github.
https://www.datree.io/resources/secrets-management-aws#:~:text=2%20%E2%80%93%20NEVER%20commit%20secrets%20into%20your%20Git%20repositories,-When%20there%20are&text=Even%20worse%2C%20when%20the%20code,stolen%2C%20you%20will%20be%20compromised.
Please note that this vulnerability, if not addressed, can be a show stopper from using your platform but if it WERE addressed, makes you an extremely competitive offering because other markdown editing clients don't allow users to easily connect to S3.