10
310
Fork
You've already forked codeberg-cli
33

Security: Looking for Reviewer #18

Closed
opened 2023年01月29日 12:13:11 +01:00 by RobWalt · 2 comments
Contributor
Copy link

I'm not to sure with some parts of the app. There are mainly two major things I'd like to be reviewed:

  • API endpoint injections: I think we need to do more valdiation on user input
    on some of the commands.
  • Credentials: I'm not sure if storing the creadentials in the DATA_DIR is a
    good idea. I haven't found anything on the topic of where they should belong.

Please feel free to contact me if you see any other issues regarding the apps security.

I'm not to sure with some parts of the app. There are mainly two major things I'd like to be reviewed: - API endpoint injections: I think we need to do more valdiation on user input on some of the commands. - Credentials: I'm not sure if storing the creadentials in the `DATA_DIR` is a good idea. I haven't found anything on the topic of where they should belong. Please feel free to contact me if you see any other issues regarding the apps security.
RobWalt changed title from (削除) Security: Reviewer wanted (削除ここまで) to Security: Looking for Reviewer 2023年02月05日 12:07:14 +01:00

Credentials: I'm not sure if storing the creadentials in the DATA_DIR is a good idea. I haven't found anything on the topic of where they should belong.

For reference, gh (Github's CLI) stores its tokens by default, before storing in files, in :

  • macOS Keychain
  • Gnome Secret Service
  • Wincred for Windows

This has the advantage that it is encrypted, but :

  • Headless systems (especially Linux) are unlikely to support Gnome SS
  • They don't support KDE Kwallet

In the matters of libraries, there is :

KWallet is specific in that it has quite a new and broken support for the SS API see this, and would prefer its own API for the time being... The main issue with this one is that there are no ready-made rust KWallet APIs

> Credentials: I'm not sure if storing the creadentials in the DATA_DIR is a good idea. I haven't found anything on the topic of where they should belong. For reference, [`gh`](https://github.com/cli/cli/releases/tag/v2.24.0) (Github's CLI) stores its tokens by default, before storing in files, in : - macOS Keychain - Gnome Secret Service - Wincred for Windows This has the advantage that it is encrypted, but : - Headless systems (especially Linux) are unlikely to support Gnome SS - They don't support KDE Kwallet ---- In the matters of libraries, there is : - [secret-service-rs](https://github.com/hwchen/secret-service-rs) - [apple-security-sys](https://lib.rs/crates/apple-security-sys) - [winapi](https://lib.rs/crates/winapi) has bindings for wincred KWallet is specific in that it has quite a new and broken support for the SS API [see this](https://github.com/frankosterfeld/qtkeychain/pull/221#issuecomment-1241144580), and would prefer its own API for the time being... The main issue with this one is that there are no ready-made rust KWallet APIs
Owner
Copy link

I think this can be closed for now

I think this can be closed for now
Sign in to join this conversation.
No Branch/Tag specified
main
v0.5.1
v0.5.0
v0.4.11
v0.4.10
v0.4.9
v0.4.8
v0.4.7
v0.4.6
v0.4.5
v0.4.4
v0.4.3
v0.4.1
v0.4.2
v0.4.0
v0.3.5
v0.3.4
v0.3.2
v0.3.1
v0.3.0
v0.2.1
v0.2.0
v0.1.1
v0.1.0
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Aviac/codeberg-cli#18
Reference in a new issue
Aviac/codeberg-cli
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?