bug: Security Fixes: Admin Secrets #44
Comments
Mods don't have access to the smtp, s3 and etc tabs the mod log is the only issue where it shows it to every mod |
yeah thats what i mean but also we should fix the ability to just html edit the admin pages to reveal passwords |
thats intended behavior afaik. What we should change it to tho, is that the password and 2nd factor is checked again (like GH does) before showing these secrets |
|
Another secret is the deepL API key needs to be sanitized. |
Insert5StarName
changed the title
💡 Summary
Currently Secrets such as S3 and Email Passwords are hidden behind a password field that can just be changed to type text this is not Unique to Sharkey as this is possible to do on Misskey and FireFish but this should be fixed as its dumb, and in my opinion a big flaw in securing secrets further more the Misskey Moderation Tab seems to leak all Secrets aswell when updating a Server, User, Role or other action, begging the question if Server Moderators can view secrets that they are not supposed to see and that are only intended for Admins
🥰 Expected Behavior
Secrets in password fields should be properly hidden and not be able to exposed by changing the field to text
Secrets should not be exposed in the mod logs as this has security risks, also Moderators shouldn't have access to these secrets
🤬 Actual Behavior
Secrets in password fields can be exposed by changing the type to text with html edit (inspect)
Mod Log exposes secrets on some actions this might be visible to all Moderators not just Admins
📝 Steps to Reproduce
📌 Environment
💻 Frontend
The text was updated successfully, but these errors were encountered: