Gitea: Security issue: scratch tokens are plaintext in the database
- Gitea version (or commit ref): 1.3.1
- Git version: 2.15.1
- Operating system: FreeBSD 11 x64
- Database (use
[x]):
- [x] PostgreSQL
- [ ] MySQL
- [ ] MSSQL
- [ ] SQLite
- Can you reproduce the bug at https://try.gitea.io:
- [ ] Yes (provide example URL)
- [ ] No
- [x] Not relevant
- Log gist:
Description
User scratch tokens are stored in plain text in the database. These should be encrypted because it will allow anyone with database access to grab the token and bypass 2 factor authentication. While not likely still should be considered an issue. I would also suggest in allowing for more than one token which would all be stored encrypted in some fashion in the database.
ghost
All 6 comments
Any progress on resolving this?
ghost
on 12 Apr 2018
Any suggest to resolve this problem?
lunny
on 12 Apr 2018
I think for this you could store only the hashed or bcrypted value and handle it like a password. If the user loses said token then they just cannot recover their account, similar to how it works with GitHub if you lose your 2FA token.
ghost
on 23 Apr 2018
Another +1 for bcrypt as a valid, secure, and tuneable implementation for hashing. \^\^
TangentFoxy
on 5 May 2018
@lunny @Guard13007 @cezar97 I suggest using the same KDF as we do for passwords. So PBKDF2 with SHA256. So we can almost copy/paste the hashing from user creation.
daviian
on 5 May 2018
@daviian That is also a completely valid option. And if it allows for more code re-use, probably a good idea.
TangentFoxy
on 7 May 2018
Related issues
jorise7
路
3Comments
kolargol
路
3Comments
lunny
路
3Comments
haytona
路
3Comments
BRMateus2
路
3Comments
Most helpful comment
@lunny @Guard13007 @cezar97 I suggest using the same KDF as we do for passwords. So PBKDF2 with SHA256. So we can almost copy/paste the hashing from user creation.