Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrating: Auth token is not properly protected in frontend #22174

Closed
h3xx opened this issue Dec 19, 2022 · 2 comments · Fixed by #22175
Closed

Migrating: Auth token is not properly protected in frontend #22174

h3xx opened this issue Dec 19, 2022 · 2 comments · Fixed by #22175
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/enhancement An improvement of existing functionality

Comments

@h3xx
Copy link
Contributor

h3xx commented Dec 19, 2022
edited
Loading

Description

The migration form exposes the auth token to screen capture/cameras/eyeballs.

Browsers also pick this up, adding it to their auto complete dictionary.

Note: I already have a fix for this, I just wanted an issue to reference.

Gitea Version

2774671

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

exposed auth token

Git Version

No response

Operating System

No response

How are you running Gitea?

Reproducible on try.gitea.io, so however that's running.

Database

None

Notes from other discussions:

Yeah, hiding it is IMHO just asking for additional whitespaces causing troubles,... I'd also tend to just prevent auto-completion.

-- Originally posted by gapodo in https://codeberg.org/forgejo/forgejo/issues/150#issuecomment-732244

I see this as needing replacement with a password input with an eyeball to hide/show the password. E.g.:

password-show-hide-for-login-form

But I'm not sure what the best way to implement that in the current Gitea project is (or if the input type is already implemented elsewhere and I just need to pull it in). Anything I'd do, I'd want to make reusable.
@h3xx h3xx added the type/bug label Dec 19, 2022
@h3xx h3xx mentioned this issue Dec 19, 2022
Merged
@silverwind silverwind mentioned this issue Dec 23, 2022
Closed
@silverwind silverwind added type/enhancement An improvement of existing functionality topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! and removed type/bug labels Dec 23, 2022
silverwind added a commit to silverwind/gitea that referenced this issue Mar 17, 2023
@silverwind
Mask access token in migration forms
68020aa 
Fixes: go-gitea#22174
Fixes: go-gitea#22175
@silverwind
Copy link
Member

Let's reduce to one issue and move this to #22175.

@silverwind
Copy link
Member

Actually, sorry I see the other is acutally the PR.

@silverwind silverwind reopened this Mar 17, 2023
h3xx added a commit to h3xx/gitea that referenced this issue Mar 18, 2023
@h3xx
Set type="password" on all auth_token fields
aad0b44 
Seen when migrating from other hosting platforms.

1. Prevents exposing the token to screen capture/cameras/eyeballs.
2. Prevents the browser from saving the value in its autocomplete
   dictionary, which often is not secure.

Closes go-gitea#22174

Signed-off-by: Dan Church <amphetamachine@gmail.com>
techknowlogick pushed a commit that referenced this issue Apr 23, 2023
@h3xx @silverwind
Set type="password" on all auth_token fields (#22175)
67da4c1 
Set `type="password"` on all `auth_token` fields

Seen when migrating from other hosting platforms.

1. Prevents exposing the token to screen capture/cameras/eyeballs.
2. Prevents the browser from saving the value in its autocomplete
dictionary, which often is not secure.

![exposed auth
token](https://user-images.githubusercontent.com/615684/208541005-e2c9c6b0-3c6c-4a56-95d9-357b987aa0c8.png)

Closes #22174

---------

Signed-off-by: Dan Church <amphetamachine@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
No milestone
2 participants
@silverwind @h3xx