Secrets exposed in properties for the mirror URL

[ghost]

• Gitea version (or commit ref): 1.8.3
• Git version: 1.8.3.1
• Operating system: Red Hat Enterprise Linux 7.6
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

When creating a mirror of a downstream git repo, https mirroring is the only option, and when using an authenticated mirror you must supply credentials for the mirror. These credentials then become part of the properties in the administration section of the mirror, and the password is displayed in plain clear text. This was confirmed on https://try.gitea.io and I have provided a screenshot that shows this security issue that exposes secrets in plain clear text with no option to mask the secret.

• Test repo: https://try.gitea.io/testyuser/demo
• Mirror repo: https://try.gitea.io/testyuser/demo-mirror
• Username: testyuser
• Password: password

Screenshots

[silverwind]

Basic auth credentials must be stored in plaintext somewhere and it's vital for verification to have them accessible in the UI. What could maybe be done is that users with non-owner permissions get to only see masked credentials, or even hide the whole URL from them.

[ghost]

I don't think it is vital to verify the password if it can easily be tested, and/or changed, but this isn't my main concern. There could simply be a toggle to unmask if that is a community need. I am more concerned that a drive-by unprivileged user could see the secrets, since they are not masked by default. Here is an example of how Atlassian Bamboo handles credentials, keeping the password field masked at all times, even while typing it in.

Here is an example of how Lastpass uses an unmasking toggle, keeping the password masked by default.

[silverwind]

Agree, a simple protection against shoulder surfers would be good to have there.