Password field is in plan text

Question

Password field is in plan text

alwaysharsha opened this issue a year ago · 3 comments

alwaysharsha commented a year ago

Expected Behavior

Password field shouldn't be exposed in plain text

Current Behavior

Currently, the password field is in plain text

Steps to Reproduce (for bugs)

Refer screen above when providing the credentials in basic it is capturing the credentials in plain text

Your Environment

tcWebHooks Version: 1.2.2
TeamCity Version: 2023.5.3
TeamCity server Operating System: Windows Server 2016
Are you using a WebHook Template?: Yes

Example Configuration (xml)

Answer 1 · 2023-09-27T09:17:42.000Z

Hi @alwaysharsha

The best option is to use a WebHook Parameter set as "password". TeamCity will store it outside your build settings in an encrypted file.

Then reference the WebHook Parameter in the password field of your webhook authentication settings.

See this page for more information: https://github.com/tcplugins/tcWebHooks/wiki/Hiding-Sensitive-Values-In-WebHook-Configuration

Here is an example I have on my test server...

And then referenced in a webhook

Answer 2 · 2023-09-27T09:22:37.000Z

BTW, the webhook configuration is stored on the teamcity server un-encrypted (I can't change how that works). So any implied security by using a hidden field in the webhook edit dialog would be mis-leading. That is why is it a plain text box, so that it's obvious that it won't be stored securely.

Referencing a secure WebHook Parameter is the better option.

Answer 3 · 2024-05-25T09:00:12.000Z

I'm going to close this out. Using a secure WebHook Parameter is the way to resolve this.