-
-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Database is stored without encryption at rest #4784
Comments
The advisory is closed, but I think it is a good question, I make it public to see what other people think. @Tchebychev is concerning plaintext storage of sensitive information inside the SQLite database like PostgreSQL monitor's password. But I didn't encrypt them, because I think encrypting them is meaningless, as the encryption key will be in the same data directory. If an attacker can read your SQLite database, they can probably get the encryption key to decrypt the information too. Unlike user password hashing (one-way hashing), passwords can still be verified after being hashed. But for a PostgreSQL password, Uptime Kuma would have to decrypt it to connect to the PostgreSQL database. That is the difference. |
From the advisory:
From another perspective, a lot of deployment methods like So, I think we need a strong reason why storing a plain text password in a .env file is considered acceptable, but Uptime Kuma is not ok. |
I have writtten my take on this one here: #4778 (comment)
=> lets continue any discussion there |
This comment was marked as spam.
This comment was marked as spam.
Plese respect my comment from above, lets continue the discussion in #4778 |
You have closed both this issue and the other as "completed" ¯_(ツ)_/¯ And louislam explicitly wanted to know what other people think.
|
I think I have made my point that
Discussing stuff in two issues simultaneously does not really have a point => lets continue the discussion in #4778 |
DO NOT PROVIDE ANY DETAILS HERE. Please privately report to https://github.com/louislam/uptime-kuma/security/advisories/new.
Why need this issue? It is because GitHub Advisory do not send a notification to @louislam, it is a workaround to do so.
Your GitHub Advisory URL: https://github.com/louislam/uptime-kuma/security/advisories/GHSA-5hjg-3v4v-3cx7
The text was updated successfully, but these errors were encountered: