Gitea Shows plain text passwords in app.ini and in Site Administration page

Hi Team,

In Gitea deployment, we could see that database passwords and the cache/session provider passwords are mentioned in plaintext in the app.ini file.

Also we could see the the cache/session provider passwords in the gui in “Configuration Tab” under site administration page.

Is there any way to hide this.

Depends*

* On the UI, you can hide it by adding custom templates whose only change is removing these lines (Customizing Gitea | Gitea Documentation)
* For the app.ini file, I don’t know what you want us to do. I think the Helm Chart may provide reading in a K8s secret in the form of an env var, but IIRC, the only thing that does is write the env var into the app.ini on startup, so it will still be there and Gitea cannot function in any other way

Can you clarify the version of Gitea you are using? As we censor that specific information for some of the settings, I had thought we did it for sessions/cache too, but your version would help confirm.
Gitea reads its settings from app.ini, and so the helm-chart constructs the config so that Gitea can run. There are a few settings (such as JWT_SECRET, LFS_SECRET, etc…) that do have the option to be read from a file (ala, how k8s secrets generally expose themselves)

We are using 1.21.11 version. Also storing plain text password is not a good security practice. Instead if it stored in a encrypted way it would be better.

1 Like

Not so nice. To be dicked ASAP