fix: FTP password exposed in maskSecrets() / mergeExistingSecrets() #185

Closed
opened 2026-06-29 14:40:23 +00:00 by jmiller · 2 comments
Owner

Summary

The maskSecrets() and mergeExistingSecrets() methods in the AjaxController mask SFTP, S3, and Google Drive credentials but do NOT mask the FTP password field. FTP credentials are exposed in cleartext via AJAX responses when loading remote destination config.

Location

src/Controller/AjaxController.phpmaskSecrets() and mergeExistingSecrets() methods

Fix

Add ftp_password to the list of masked fields alongside sftp_password, sftp_key_data, sftp_passphrase, s3_secret_key, and google_drive_client_secret.

## Summary The `maskSecrets()` and `mergeExistingSecrets()` methods in the AjaxController mask SFTP, S3, and Google Drive credentials but do NOT mask the FTP password field. FTP credentials are exposed in cleartext via AJAX responses when loading remote destination config. ## Location `src/Controller/AjaxController.php` — `maskSecrets()` and `mergeExistingSecrets()` methods ## Fix Add `ftp_password` to the list of masked fields alongside `sftp_password`, `sftp_key_data`, `sftp_passphrase`, `s3_secret_key`, and `google_drive_client_secret`.
jmiller added the component: admin label 2026-06-29 14:40:23 +00:00
Author
Owner

Branch created: feature/185-fix-ftp-password-exposed-in-masksecrets-

git fetch origin
git checkout feature/185-fix-ftp-password-exposed-in-masksecrets-
Branch created: [`feature/185-fix-ftp-password-exposed-in-masksecrets-`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteBackup/src/branch/feature/185-fix-ftp-password-exposed-in-masksecrets-) ```bash git fetch origin git checkout feature/185-fix-ftp-password-exposed-in-masksecrets- ```
Author
Owner

Closing as a duplicate of #169.

Both describe the same gap — maskSecrets() / mergeExistingSecrets() in AjaxController.php omit an ftp entry, so a stored FTP remote's password is returned unmasked. #169 is earlier and more precisely matches the code: the $secrets map is keyed per-type by short field names (fix is 'ftp' => ['password']), not a flat ftp_password field. Consolidating tracking on #169.

Closing as a duplicate of #169. Both describe the same gap — `maskSecrets()` / `mergeExistingSecrets()` in `AjaxController.php` omit an `ftp` entry, so a stored FTP remote's password is returned unmasked. #169 is earlier and more precisely matches the code: the `$secrets` map is keyed per-type by short field names (fix is `'ftp' => ['password']`), not a flat `ftp_password` field. Consolidating tracking on #169.
Sign in to join this conversation.