Skip to content

ROPC remediation - more files with connection strings #33990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 1, 2024
Merged

ROPC remediation - more files with connection strings #33990

merged 5 commits into from
Nov 1, 2024

Conversation

@tdykstra
Copy link
Contributor

@tdykstra tdykstra commented Oct 31, 2024
edited by github-actions bot
Loading

@tdykstra tdykstra changed the title SFI ROPC Remediation: more files with connection strings ROPC Remediation: more files with connection strings Oct 31, 2024
@tdykstra tdykstra changed the title ROPC Remediation: more files with connection strings ROPC remediation: more files with connection strings Oct 31, 2024
@tdykstra tdykstra changed the title ROPC remediation: more files with connection strings WIP: ROPC remediation: more files with connection strings Oct 31, 2024
tdykstra
tdykstra commented Oct 31, 2024
View reviewed changes
aspnetcore/performance/caching/distributed/samples/8.x/RedisCache/appsettings.json
Copy link
Contributor Author

@tdykstra tdykstra Oct 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Including password here isn't required, as it and the other parts of the connection string were there just to give an impression of what an Azure Redis Cache connection string looks like.

@tdykstra tdykstra marked this pull request as ready for review October 31, 2024 23:10
@tdykstra tdykstra changed the title WIP: ROPC remediation: more files with connection strings WIP: ROPC remediation - more files with connection strings Oct 31, 2024
@tdykstra tdykstra changed the title WIP: ROPC remediation - more files with connection strings ROPC remediation - more files with connection strings Oct 31, 2024
Rick-Anderson
Rick-Anderson approved these changes Nov 1, 2024
View reviewed changes
aspnetcore/security/app-secrets.md

```dotnetcli
dotnet user-secrets set "DbPassword" "pass123"
dotnet user-secrets set "DbPassword" "`<secret value>`"
Copy link
Contributor

@Rick-Anderson Rick-Anderson Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For bonus points, replace "<secret value>"
with
"\x00``<secret value>``\" which should throw an error, although maybe <secret value> will throw. We don't want them copy/paste something that works.

aspnetcore/security/app-secrets/includes/app-secrets-3-5.md Outdated
[!code-json[](~/security/app-secrets/samples/3.x/UserSecrets/appsettings-unsecure.json?highlight=3)]

A more secure approach is to store the password as a secret. For example:
Storing passwords in plain text is insecure. For example, a database connection string stored in `appsettings.json` should not include a password. Instead, store the password as a secret, and include the password in the connection string at runtime. For example:
Copy link
Contributor

@Rick-Anderson Rick-Anderson Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you want to tell them never store secrets in a config file (for example appsettings.json) ... checked in source.

tdykstra
tdykstra commented Nov 1, 2024
View reviewed changes
@tdykstra tdykstra merged commit ff8edb9 into dotnet:main Nov 1, 2024
3 checks passed
@tdykstra tdykstra deleted the sfi1030connstr branch November 1, 2024 03:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Rick-Anderson Rick-Anderson Rick-Anderson approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ROPC remediation: more files with connection strings

2 participants

@tdykstra @Rick-Anderson