Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Username and password for choco apikey not encrypted in output #1106

Closed
dragon788 opened this issue Dec 22, 2016 · 3 comments
Closed

Username and password for choco apikey not encrypted in output #1106

dragon788 opened this issue Dec 22, 2016 · 3 comments
Assignees
@ferventcoder
Labels
5 - Released Improvement Security Up For Grabs
Milestone
0.10.4

Comments

@dragon788
Copy link
Contributor

What You Are Seeing?

When I call choco apikey with a feed that has a username and password associated, I wouldn't expect the password to appear in plaintext.

PS C:\vagrant> choco apikey -k myuser:mypass -s "http://chocolatey.org"
Chocolatey v0.10.3
Added ApiKey for http://chocolatey.org

PS C:\vagrant> choco apikey
Chocolatey v0.10.3
http://chocolatey.org - myuser:mypass

What is Expected?

I expect at least the hashed version or the password to be hidden/obfuscated similar to how choco source shows (Authenticated) when a feed has been provided credentials. I can always update a key with new credentials if I'm not sure what they were authenticated with, but I currently can't remove one that is leaking credentials without hacking the chocolatey.config file.

PS C:\vagrant> choco apikey
Chocolatey v0.10.3
http://chocolatey.org - (Authenticated)

How Did You Get This To Happen? (Steps to Reproduce)

choco apikey -k myuser:mypass -s "http://chocolatey.org"
choco apikey
@dragon788
Copy link
Contributor Author

@ferventcoder This may fall under security?

@ferventcoder
Copy link
Member

Interesting. Yeah, I think that would definitely not be something you want to return the output.

@ferventcoder ferventcoder added this to the 0.10.4 milestone Dec 22, 2016
paulhunttech pushed a commit to paulhunttech/choco that referenced this issue Jan 3, 2017
(chocolateyGH-1106) Remove plain text key value from apikey call output
955ecc7 
Previously the 'choco apikey' command wrote the API key for a source to the output in plain text which is a potential security issue. Update the generated output to "(Authenticated)" if the API key is not null or whitespace.
@paulhunttech paulhunttech mentioned this issue Jan 3, 2017
Closed
paulhunttech pushed a commit to paulhunttech/choco that referenced this issue Jan 3, 2017
(chocolateyGH-1106) Remove plain text key value from apikey call output
a2fb846 
Previously the 'choco apikey' command wrote the API key for a source to the output in plain text which is a potential security issue. Update the generated output to "(Authenticated)" if the API key is not null or whitespace.

Replaced credentials from apikey output and replaced with "(Authenticated)"
paulhunttech pushed a commit to paulhunttech/choco that referenced this issue Jan 3, 2017
@ferventcoder
(chocolateyGH-1111) Use more professional language in compare
8a917b8 
Some folks may find the message "You use Chocolatey? You are amazing!"
to be unprofessional. While it was meant to be a compliment, it can be
misconstrued as sarcastic. Use a more professional message instead.

(chocolateyGH-1106) Remove plain text key value from apikey call output

Previously the 'choco apikey' command wrote the API key for a source to the output in plain text which is a potential security issue. Update the generated output to "(Authenticated)" if the API key is not null or whitespace.

Replaced credentials from apikey output and replaced with "(Authenticated)"
paulhunttech pushed a commit to paulhunttech/choco that referenced this issue Jan 3, 2017
(chocolateyGH-1106) Remove plain text key value from apikey call output.
c6c0be3 
Previously the 'choco apikey' command wrote the API key for a source to the output in plain text which is a potential security issue. Update the generated output to "(Authenticated)" if the API key is not null or whitespace.

Replaced credentials from apikey output and replaced with "(Authenticated)".
ferventcoder pushed a commit that referenced this issue Mar 22, 2017
@ferventcoder
(GH-1106) Do not display ApiKey in output
7ac461f 
Previously the 'choco apikey' command wrote the API key for a source to
the output in plain text which is a potential security issue. Update the
generated output to "(Authenticated)" if the API key is not null or
whitespace.

Replaced credentials from apikey output and replaced with "(Authenticated)".
ferventcoder added a commit that referenced this issue Mar 22, 2017
@ferventcoder
Merge branch 'pr1122' into stable
fe55f47 
* pr1122:
  (GH-1106) Do not display ApiKey in output
ferventcoder added a commit that referenced this issue Mar 22, 2017
@ferventcoder
Merge branch 'stable'
db5cb13 
* stable:
  (GH-1106) Do not display ApiKey in output
  (GH-1018) Always refer to provided checksum type
  (GH-942) Override local version
  (GH-942) update NuGet.Core
  (GH-1205) List - Do not show pkg sync prog/features
  (GH-1181) Document self-service source requirement
  (maint) formatting
  (specs) set baselines
@ferventcoder ferventcoder self-assigned this Mar 22, 2017
@ferventcoder
Copy link
Member

Completed for 0.10.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ferventcoder ferventcoder

Labels
5 - Released Improvement Security Up For Grabs
Projects
None yet
Milestone
0.10.4
Development

No branches or pull requests
3 participants
@ferventcoder @dragon788 @gep13