Uploaded image for project: 'mod-email'
  1. mod-email
  2. MODEMAIL-77

SMTP credentials are stored in plain text - security concern

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • P3
    • Resolution: Duplicate
    • None
    • None
    • None
    • Vega
    • Not Scheduled
    • Architecture issue

    Description

      Overview:

      mod-configuration is storing SMTP details, including SMTP username and password, in plaintext as config entries. Anyone with a valid okapi token can access these credentials and manipulate them. This is a security concern.

      Steps to Reproduce:

      1. Log into Morning Glory Bugfest
      2. curl --location --request GET 'https://okapi-bugfest-mg.int.aws.folio.org/configurations/entries?limit=100&query=module==SMTP_SERVER' \--header 'x-okapi-tenant: fs09000000' \--header 'x-okapi-token: ${XOKAPITOKEN}'

Response:   {
  "configs": [
    {
      "id": "bbc01fbf-2fa8-47c1-bae6-9b26cfbce3c9",
      "module": "SMTP_SERVER",
      "configName": "smtp",
      "code": "EMAIL_SMTP_HOST_DISABLED",
      "description": "",
      "default": true,
      "enabled": true,
      "value": "xxxxxxxxxxxxxxxxxx"
    },
    {
      "id": "37128a64-7da5-481e-958d-65d5ebe9cb02",
      "module": "SMTP_SERVER",
      "configName": "smtp",
      "code": "EMAIL_USERNAME",
      "description": "",
      "default": true,
      "enabled": true,
      "value": "xxxxxxxxxxxx"
    } ]

      I have masked the credentials with x

      Expected Results:

      Credentials should not be stored in plaintext
      Actual Results:

      Credentials are stored in plaintext in the database
      Additional Information:

      Storing credentials in plain text in the database is not a good practice. These credentials are available to anyone who has mod-configuration enabled, which can be misused. I propose that mod-configuration stores the credentials in some kind of secret vault, for example, integrate with AWS Parameter store or secrets manager. There are also other options available, but they need to be investigated.

      Note that this change will also affect mod-email. These credentials are fetched by mod-email for email verification - https://github.com/folio-org/mod-email/blob/9119fc3d40fe6dfc60b583f7fd29629f09473217/descriptors/ModuleDescriptor-template.json#L24

      Interested parties:

      TestRail: Results

        Attachments

          Issue Links

            blocks

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODEMAIL-81 Configurable expiration time

            • P4 - lowest priority level, nice-to have things that require future discussion and design
            • Open
            duplicates

            Tech Debt - MODEMAIL-76 Move sensitive SMTP information out of mod-configuration

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Activity

              People

                Unassigned Unassigned
                varunjavalkar Varun Javalkar
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases