MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 8 Pull Requests Packages Releases 5 Wiki Activity

security: API profiles endpoint leaks FTP/S3/GDrive credentials #78

New Issue
Closed
opened 2026-06-21 23:01:35 +00:00 by jmiller · 0 comments
jmiller commented 2026-06-21 23:01:35 +00:00
Owner
Copy Link
Copy Source

Severity: HIGH

api/BackupsController::profiles() returns the entire profile object including ftp_password, s3_secret_key, gdrive_client_secret, gdrive_refresh_token, and encryption_password in the JSON API response.

Any authenticated API consumer with core.manage can read all stored credentials.

Fix

Unset sensitive fields before serialization, or create a sanitized DTO with only safe fields.

File

  • api/src/Controller/BackupsController.php:124-130
## Severity: HIGH `api/BackupsController::profiles()` returns the entire profile object including `ftp_password`, `s3_secret_key`, `gdrive_client_secret`, `gdrive_refresh_token`, and `encryption_password` in the JSON API response. Any authenticated API consumer with `core.manage` can read all stored credentials. ## Fix Unset sensitive fields before serialization, or create a sanitized DTO with only safe fields. ## File - `api/src/Controller/BackupsController.php:124-130`
jmiller added the component: api label 2026-06-21 23:01:35 +00:00
Sign in to join this conversation.
Labels
Clear labels
component: admin
Admin UI and views
 component: api
REST API
 component: engine
Backup/restore engine
 component: remote
Remote storage (FTP/GDrive)
 component: scheduler
Scheduled tasks
No labels component: api
Priority Medium
Type Feature
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteBackup#78
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?