Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Flaw In How Jedis Stores Server Password #632

Closed
saden1 opened this issue May 6, 2014 · 1 comment · Fixed by #3224
Closed

Security Flaw In How Jedis Stores Server Password #632

saden1 opened this issue May 6, 2014 · 1 comment · Fixed by #3224

Comments

@saden1
Copy link

saden1 commented May 6, 2014

Jedis stores Redis server password as a String. Both "Java Cryptography Architecture guide" and "Secure Coding Guidelines for Java SE" recommend that sensitive information be stored in char array instead of a String.
@HeartSaVioR
Copy link
Contributor

Hello.
At first, You're right! It saves us from memory attack, core dump, etc.
We need to change method signature, and it means we should break compatibility.
So we can schedule it to major release (currently 3.0.0).
We would very happy with you providing pull request!

Btw, Redis is not designed to strong security. Please refer http://redis.io/topics/security for details.
Especially AUTH command sent to Redis unencrypted, so Redis is exposed to network attacker!

So you should use firewall, or add security layers (ex. SSL) before use Redis.
Only using password never saves us.

@sazzad16 sazzad16 mentioned this issue Dec 15, 2022
Merged
sazzad16 added a commit that referenced this issue Feb 14, 2023
@sazzad16
Introduce credentials provider (#3224)
d4644da 
References:

1. #1602 and related PRs. Current PR is probably better than handling in JedisFactory 
2. redis/redis-py#2261 - main reason of this PR 
3. redis/lettuce#1774 
4. #632 

---

* Introduce credentials provider

* use volatile

* Test in Sentineled mode

* Support CharSequence in DefaultRedisCredentials

* Added doc for prepare() and cleanUp()

* Test the provider interface

* Added example

* Removed deprecations
@kimmking kimmking mentioned this issue Feb 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduce credentials provider sazzad16/jedis
2 participants
@HeartSaVioR @saden1