Password is visible in plaintext as value of an environment variable inside docker container

[dejansub]

Expected behavior

As a best security practice, no passwords should be kept anywhere on the system in plaintext.

Actual behavior

After creating a docker container per instructions here: https://jamdocs.org/software/installation/#manual-installation I've observed that plaintext password is visible inside docker container as value of APP_PASSWORD environment variable.

I have also verified the same holds true in a docker container on Umbrel.

Steps to reproduce the problem

See above

Specifications

• Version: 0.3.0

• Platform: Ubuntu

• Version: 0.3.0

• Platform: Umbrel

Additional context

As a general rule, only hash of password should be kept in persistent storage and password verification should be done by hashing input password and comparing it with stored hash.

Additional reading: https://cwe.mitre.org/data/definitions/256.html

[theborakompanioni]

Hey @dejansub!

Thanks for the heads up. Yes, this is indeed a problem.
The password is subsequently salted and hashed and stored in /etc/nginx/.htpasswd, so it should not be necessary to provide it in plaintext.

Umbrel provides APP_PASSWORD, do you know if they also provides a hashed/salted+hashed version?

[18c83fd3-25ea-4ed9-8205-2abeff9b3883]

The problem is umbrel just hard coded a user name and password without the ability to change it. It doesn't matter if it is salted because it is the same for everyone.

Would need to update the script to read environment variables for the username and password, then modify the docker compose and umbrel app yml.

It doesn't look hard to do but have to coordinate both sides. Is there any other way I'm not thinking of?