Apigee Edge admin page shows password in plaintext within source #415
Comments
|
The Apigee Edge module uses the Drupal Key module to store the Edge credentials. If you install using Kickstart it will use the Configuration Key Provider since no other Key Providers are available. Check out our FAQ on making the Edge connection more secure for instructions on how to update your site. This issue should be more clear when installing and reading documentation. Tasks
|
|
We are using the Apigee Edge: Private File - but that’s not the problem. The problem is not the key provider. The problem is that when you go to that page, if you view source of the web page - you can see password in plain text. |
|
I also added #418 for putting a warning message in when using configuration key provider. |
|
The idea of using the private filesystem is that you have a location outside the Drupal webroot that it should have file permissions set so that only accessible by the system and proper unix users only. If you encrypt the password, then you will also need to have a way to decrypt the password, which means the decryption technique will have to be on the same server also. This would only be a layer of obscurity. The Key module's project page talks about how you can use different Key providers, if you want added security you can also use a key management solution as they describe on that page. If neither of those Key providers are what you are looking for, you can also write your own custom module to create your own Key Provider solution, check out this code to see how we wrote our own Key Provider plugins. |
|
I don’t know that we’re on the same page. I think you’re focusing on how the key is stored, and I’m focusing on how the rendered web page handles the key. None of my issues are with how the keys are stored. The key storage is not the issue. The issue is when the web page is loaded in the admin, a person could view the rendered web page source and see the password. Nothing in the docs I’ve read tell me that how the key is stored would change that. So my questions: Does changing the key storage option affect how the key is rendered in the HTML source code? |
|
Sorry @akac my fault for not reading carefully. I now correctly understand your issue. We will work on a way to fix this. |
|
This is an admin form so only a small group of ppl should have access to it. I can only imagine this as a security issue if the page can be cached on the client side, otherwise it is as insecure as as any admin pages. If an admin user leaves his/her machine unattended and unlocked then this is only one of the places that a malicius user can leverage to do bad things. We usually install Autologout module as a workaround which logs out users after X amount of innactivity automatically. |
|
Admin forms are vectors for attacks. Someone who breaks into the portal admin page would now also be able to break into Apigee. The purpose is to diminish the attack vector. Either way, this was identified by a penetration test team as a vulnerability and we were asked to raise the problem with this project. |
|
Suggestion: with a custom access checker in your project, disable the admin form of the module completely on production if this is a hard requirement on the project. |
|
I am modifying app credentials view to use AJAX to dynamically pull credentials when pressed the eye icon. |
|
The kickstarter modifies the app page with the toggle that shows/hides credentials. I think got it working with the new endpoint for credentials. Making the change in the edge module to support the same toggle. |
|
Here are the two PRs related to this issue: |
|
Above PRs dont apply to this bug |
|
@arunz6161 I have a possible solution in this PR #457 so the idea is to make password field empty and always required. Whenever admin making changes to the connection settings they would have to provide the password. What do you think about this approach @arunz6161 @arlina-espinoza @cnovak |
|
I would rather follow the way SMTP module does the password where if you don't put it in it is left unchanged. This way if someone submits a change to the form they do not loose the current password. This could cause an outage on a production site. |
…ty. (Similar to what SMTP module does).
…sword field because it is always empty.
… form (#457) * [#415] Always require password when making connection changes. * [#415] Make sure password is set only when the field is not empty. (Similar to what SMTP module does). * [#415] Troubleshoot failed tests. We no longer need to test password field because it is always empty. * [#415] Refine authentication form. * [#415] Fix WSOD when saving credentials. * [#415] Fix tests. * [#415] Fix code sniffer. Co-authored-by: Arlina Espinoza <[email protected]>
Description
As a security concern, the Apigee Edge plugin config should not have the password in plain text within the source.
Steps to Reproduce
Steps to reproduce the behavior:
Actual Behavior
Password is shown in plain text within the source
Expected Behavior
No password is ever shown. It may be saved but never retrieved. Or if its retrieved its done via a GET call.
Version Info
Machine name: apigee_edge
Version: 8.x-1.6
The text was updated successfully, but these errors were encountered: