github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Passwords for Database user and LDAP bind user are stored in plain text #7175

New Issue
Closed
opened 2025-11-02 07:18:30 -06:00 by GiteaMirror · 6 comments
GiteaMirror commented 2025-11-02 07:18:30 -06:00
Owner
Copy Link

Originally created by @GeyserLaPunk on GitHub (Apr 13, 2021).

  • Gitea version (or commit ref): 1.13.7
  • Git version: 2.14.0
  • Operating system: Windows 10/Server 2012
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
  • Log gist:

Bad security practice of storing passwords in plain text

Description

While application does provide a warning that it stores password in plain text, I think we all agree that this is a big security issue independently from how many privileges user has.
There is an existing module modules/secret/secret.go that allows for two way encryption. Why is it not used to encrypt password values stored in app.ini and in the database in case of LDAP auth.
...

Screenshots

Originally created by @GeyserLaPunk on GitHub (Apr 13, 2021). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq) 5. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.13.7 - Git version: 2.14.0 - Operating system: Windows 10/Server 2012 <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package --> <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. ---> <!-- If you are using a package or systemd tell us what distribution you are using --> - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [x] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - Log gist: <!-- It really is important to provide pertinent logs --> <!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems --> <!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini --> Bad security practice of storing passwords in plain text ## Description <!-- If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please disable the proxy/CDN fully and connect to gitea directly to confirm the issue still persists without those services. --> While application does provide a warning that it stores password in plain text, I think we all agree that this is a big security issue independently from how many privileges user has. There is an existing module modules/secret/secret.go that allows for two way encryption. Why is it not used to encrypt password values stored in app.ini and in the database in case of LDAP auth. ... ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** -->
GiteaMirror added the topic/security label 2025-11-02 07:18:30 -06:00
GiteaMirror commented 2025-11-02 07:18:32 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Apr 13, 2021):

It sounds like you have identified the issue and the solution. Perhaps you could provide a PR?

@zeripath commented on GitHub (Apr 13, 2021): It sounds like you have identified the issue and the solution. Perhaps you could provide a PR?
GiteaMirror commented 2025-11-02 07:18:32 -06:00
Author
Owner
Copy Link

@GeyserLaPunk commented on GitHub (Apr 14, 2021):

It sounds like you have identified the issue and the solution. Perhaps you could provide a PR?

While I would like to help as much as I can, however I never wrote a line of code in GO, so until I'm comfortable doing it I should pass this opportunity to someone with more experience.

The logic should be pretty simple: you encrypt it as soon as you read it and decrypt it only when you need to use it.

@GeyserLaPunk commented on GitHub (Apr 14, 2021): > It sounds like you have identified the issue and the solution. Perhaps you could provide a PR? While I would like to help as much as I can, however I never wrote a line of code in GO, so until I'm comfortable doing it I should pass this opportunity to someone with more experience. The logic should be pretty simple: you encrypt it as soon as you read it and decrypt it only when you need to use it.
GiteaMirror commented 2025-11-02 07:18:32 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Apr 14, 2021):

I cannot know what do you mean. Which table and which column?

@lunny commented on GitHub (Apr 14, 2021): I cannot know what do you mean. Which table and which column?
GiteaMirror commented 2025-11-02 07:18:32 -06:00
Author
Owner
Copy Link

@GeyserLaPunk commented on GitHub (Apr 14, 2021):

I cannot know what do you mean. Which table and which column?

Table: login_source,
Column: cfg

When login source is LDAP via BindDN bind password value within JSON string is plain text.
Not sure if any other sources have similar issue as I haven't tried them.

Also, database user password in app.ini database section PASSWD value is plain text as well.

@GeyserLaPunk commented on GitHub (Apr 14, 2021): > I cannot know what do you mean. Which table and which column? Table: login_source, Column: cfg When login source is LDAP via BindDN bind password value within JSON string is plain text. Not sure if any other sources have similar issue as I haven't tried them. Also, database user password in app.ini database section PASSWD value is plain text as well.
GiteaMirror commented 2025-11-02 07:18:32 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Apr 19, 2021):

That the configuration file contains necessary passwords for configuring the service is essentially unfixable - at some point these have to be unencrypted and the secrets have to become available some way.

I have however, put a PR up that encrypts the ldap bind password within the db.

@zeripath commented on GitHub (Apr 19, 2021): That the configuration file contains necessary passwords for configuring the service is essentially unfixable - at some point these have to be unencrypted and the secrets have to become available some way. I have however, put a PR up that encrypts the ldap bind password within the db.
GiteaMirror commented 2025-11-02 07:18:32 -06:00
Author
Owner
Copy Link

@GeyserLaPunk commented on GitHub (Apr 20, 2021):

That the configuration file contains necessary passwords for configuring the service is essentially unfixable - at some point these have to be unencrypted and the secrets have to become available some way.

I would have to respectfully disagree with your statement. Any password should be encrypted the moment it was read during initial setup and held in the encrypted state in any long term storage (memory, text file, etc.). decryption should occur at the place of the immediate use, such as when connection to DB is happening. It just feels like a common sense.

I have however, put a PR up that encrypts the ldap bind password within the db.

That is a step in the right direction. Thank you.

@GeyserLaPunk commented on GitHub (Apr 20, 2021): > That the configuration file contains necessary passwords for configuring the service is essentially unfixable - at some point these have to be unencrypted and the secrets have to become available some way. I would have to respectfully disagree with your statement. Any password should be encrypted the moment it was read during initial setup and held in the encrypted state in any long term storage (memory, text file, etc.). decryption should occur at the place of the immediate use, such as when connection to DB is happening. It just feels like a common sense. > I have however, put a PR up that encrypts the ldap bind password within the db. That is a step in the right direction. Thank you.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#7175
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?