Skip to content
Snippets Groups Projects

bug: Security Fixes: Admin Secrets

    • Open Issue created by Ghost User @ghost

    Created by: Amelia

    💡 Summary

    Currently Secrets such as S3 and Email Passwords are hidden behind a password field that can just be changed to type text this is not Unique to Sharkey as this is possible to do on Misskey and FireFish but this should be fixed as its dumb, and in my opinion a big flaw in securing secrets further more the Misskey Moderation Tab seems to leak all Secrets aswell when updating a Server, User, Role or other action, begging the question if Server Moderators can view secrets that they are not supposed to see and that are only intended for Admins

    🥰 Expected Behavior

    Secrets in password fields should be properly hidden and not be able to exposed by changing the field to text Secrets should not be exposed in the mod logs as this has security risks, also Moderators shouldn't have access to these secrets

    🤬 Actual Behavior

    Secrets in password fields can be exposed by changing the type to text with html edit (inspect) Mod Log exposes secrets on some actions this might be visible to all Moderators not just Admins

    📝 Steps to Reproduce

    1. Open Admin Control Panel with Secrets (SMTP for example)
    2. Open Inspector(ctrl + shift + i)
    3. Edit Password field to text

    📌 Environment

    💻 Frontend

    • Model and OS of the device(s): Any
    • Browser: Any (with inspect)
    • Server URL: Any
    • Sharkey: Any
    • Other Environments that could be affected by this and should be informed: firefish, misskey and iceshrimp

    Designs

      Child items 0

      2. No child items are currently assigned. Use child items to break down this issue into smaller parts.

      Activity

      • Marie
        Marie @Marie ·
        Developer

        also Moderators shouldn't have access to these secrets

        Mods don't have access to the smtp, s3 and etc tabs

        the mod log is the only issue where it shows it to every mod

      • Ghost User
        Ghost User @ghost ·
        Author Contributor

        Created by: Amelia

        also Moderators shouldn't have access to these secrets

        Mods don't have access to the smtp, s3 and etc tabs

        the mod log is the only issue where it shows it to every mod

        yeah thats what i mean but also we should fix the ability to just html edit the admin pages to reveal passwords

      • Ghost User
        Ghost User @ghost ·
        Author Contributor

        Created by: Amelia

        also Moderators shouldn't have access to these secrets

        Mods don't have access to the smtp, s3 and etc tabs the mod log is the only issue where it shows it to every mod

        yeah thats what i mean but also we should fix the ability to just html edit the admin pages to reveal passwords

        thats intended behavior afaik. What we should change it to tho, is that the password and 2nd factor is checked again (like GH does) before showing these secrets

      • Ghost User
        Ghost User @ghost ·
        Author Contributor

        Created by: Amelia

        Another secret is the deepL API key needs to be sanitized.

      Please register or sign in to reply