Added Passwordless Account check (#84) #86
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Accounts without passwords should be flagged to avoid unintended exposure. This goes doubly for accounts that are accessible outside of localhost. We don't currently case too much about what they have access to. We could examine if they only have read access (and whether it's limited to "monitoring" schemas like mysql or performance_schema) but that's a future refinement once we see what hits we get. Also required some refactoring of various bits of code and some hint at the newer structure for data objects (heading towards using readonly classes, using proper enums and named parameters which means this also bumps our requirements up to PHP 8.* as well). Ideally I want to be able to support multiple data sources (database, SQL definition files, etc) without massive refactoring.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Accounts without passwords should be flagged to avoid unintended exposure. This goes doubly for accounts that are accessible outside of localhost.
We don't currently case too much about what they have access to. We could examine if they only have read access (and whether it's limited to "monitoring" schemas like mysql or performance_schema) but that's a future refinement once we see what hits we get.
Also required some refactoring of various bits of code and some hint at the newer structure for data objects (heading towards using readonly classes, using proper enums and named parameters which means this also bumps our requirements up to PHP 8.* as well).
Ideally I want to be able to support multiple data sources (database, SQL definition files, etc) without massive refactoring.