Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

run.codes password is stored in plain text #5

Open
lucasgpulcinelli opened this issue Nov 16, 2022 · 0 comments
Open

run.codes password is stored in plain text #5

lucasgpulcinelli opened this issue Nov 16, 2022 · 0 comments
Labels
security Possible security problem

Comments

@lucasgpulcinelli
Copy link

As the title suggests, after running run-cli credentials, the user email and password is stored in plain text at ~/.config/.run-cli/run-cli-credentials.toml, giving attackers potential control over the whole user account.

I suggest either adding a token-based authentication system in the run.codes site (ideally limiting access the same way github or AWS tokens), adding password storing in the same way as in docker login, or support a --credentials option that let users secure their passwords in other places and pass it via command line when needed (of course, ideally in an environment variable, because of commands history file).
@Math-42 Math-42 changed the title [SECURITY] run.codes password is stored in plain text run.codes password is stored in plain text Nov 16, 2022
@Math-42 Math-42 added the security Possible security problem label Nov 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Possible security problem
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Math-42 @lucasgpulcinelli