Sublime Forum

Warning! SublimeText + sFTP

#4

@Gregor: the SFTP plugin will create the config file inside of the project folder. The plugin - AFAIK - will ignore the file and won’t allow uploading.
However, if you upload the whole directory using another ftp app, things can go crazy.

The .htaccess thing will block the access to sensitive files & folders on your server, so even if the file is uploaded, won’t be accessible. Sure this works only if you use Apache, but i’m pretty sure that other servers have equivalents to this.

0 Likes

#5

The file is uploaded only sometimes. not always.

Github is an little example. I find this config files always on github repository. But not every developer enjoy github. so everyone can find the file on a server, maybe.

0 Likes

#6

Just to be clear - the plugin NEVER uploads the the config file - unless you explicitly ask for the file to be uploaded. So you have to open the file and execute “Upload file” or right click on the file and click “Upload”. It should be pretty obvious to most users to not do that…

If you care about security, which you should, you should be using SFTP and SSH keys. FTP sends your password in the clear. SFTP without SSH keys requires that you either type in your password for every connection attempt, or you have it stored somewhere on disk. In the next release I am planning on offering an option or storing your configuration files in a separate location, and I have the intention of exploring integration with popular password vaults.

If you notice, the plugin was originally designed to just be SFTP, hence the name SFTP. I was not planning on supporting FTP due to the security issues related to it. The market spoke and demanded FTP support, so I added it. Just to reiterate, I highly recommend anyone using the plugin use SFTP with an SSH key.

Also, the author of that blog has contemptible security practices. Supposedly he crawled and emailed developers for hundreds of sites. However, he never even attempted to contact me to raise his concern or ask for a response. His behavior does not sound like much of a security “professional” to me.

0 Likes

#7

Thanks, wbond. After understanding what the “problem” is, I agree that SFTP is not to blame. Looking forward to the next version with ST3 support!

0 Likes

#8

The functionality to store the ftp settings elsewhere would be ideal. Personally, I’d like to store it above the root. So a relative path would be great!

0 Likes

#9

This issue is actually very, very serious.

When you create an STx project and you want FTP capabilities, you must create a sftp-config.json in a local folder that is the equivalent of the document root on the server. Each, any and every time you make a change to this sftp-config.json, it gets UPLOADED TO THE SERVER.

There is no way around this security hole given the current structure of the SFTP Plug-in.

The solution needs to be that the sftp-config.json gets stored above the document root.

Ideally, we would be able to store this file in the same place that the server credential’s copy of the sftp-config.json get stored so we do not need to have 2 copies of it on our local machine.

Currently, on a Win7 machine, the sftp server file also exists at C:\Users{username}\AppData\Roaming\Sublime Text 3\Packages\User\sftp_servers

The server configuration file needs to exist once and in a local folder that is not a compromise to site security.

There is no reason the sftp-config.json file needs to reside on the server. I saw thread posts above on preventing browser access via .htaccess file and apache directives. Essentially, they miss the point that having this open text file floating around on the server with FTP credentials is serious business. The root problem needs to be addressed – not server-side patchwork to make up for the plug-in’s shortcoming.

0 Likes

#10

I am aware of the feature request to store configuration in a different location that the local root of your project. It is on the list for the next feature release. I have also been working on the integration of various operating system password vaults to use for storing passwords in.

As I explained above - with the default configuration, there is no security hole. The sftp-config.json is ignored unless the user explicitly opens the file, or right-clicks on it and uploads it.

It certainly is possible that if you use the FTP protocol and use another FTP program and upload your credentials file to the server it will be visible. I would recommend against doing so. If you use the SFTP package and don’t blow away the default ignore settings, this won’t be a problem. If instead you insist on using another FTP program and uploading a whole folder at a time, you have a few choices:

  • Use the SFTP protocol and an SSH key so that your password is not stored in sftp-config.json. The FTP protocol is a bad idea anyway since it sends your credentials in the clear.

  • Set your other FTP program to ignore sftp-config.json.

  • Use a separate checkout of your code with other editors/FTP programs.

  • Don’t set the root of your project as your document root. Many projects contain other passwords in them - having your project root be one folder above your document root is a good idea.

  • Stop using the SFTP package until the next version comes out

0 Likes

#11

This is an untruth.

Try it out for yourselves:

Use ST2 or ST3

edit your sftp-config.json file by simply changing anything inside it

save it as you would any other local file in STx

connect to and browse your server

look in the document root and see what you find

No other FTP programs on the client machine are in use.

0 Likes

#12

Unfortunately, this option is not the best given STx and SFTP plug-in are the only IDE and FTP running on my machine.

Any ETA on the “next version”?

0 Likes

#13

[quote=“sme”]

This is an untruth.

Try it out for yourselves:

Use ST2 or ST3

edit your sftp-config.json file by simply changing anything inside it

save it as you would any other local file in STx

connect to and browse your server

look in the document root and see what you find

No other FTP programs on the client machine are in use.[/quote]

Can you paste your configuration (sans host, username, password)? If there is a bug, I will certainly fix it immediately.

0 Likes

#14
{
    // The tab key will cycle through the settings when first created
    // Visit http://wbond.net/sublime_packages/sftp/settings for help
    
    // sftp, ftp or ftps
    "type": "sftp",

    "upload_on_save": true,
    "sync_down_on_open": true,
    "sync_skip_deletes": true,
    "sync_same_age": false,
    "confirm_downloads": true,
    
    "host": "ftp.mydomain.com",
    "user": "user",
    "password": "pAsSwOrD9",
    "port": "22",
    
    "remote_path": "/{document root}/",
}

The moment you edit and change anything inside this sftp-config.json file it gets uploaded to the document root of the server.

0 Likes

#15

[quote=“sme”][code]
{
// The tab key will cycle through the settings when first created
// Visit http://wbond.net/sublime_packages/sftp/settings for help

// sftp, ftp or ftps
"type": "sftp",

"upload_on_save": true,
"sync_down_on_open": true,
"sync_skip_deletes": true,
"sync_same_age": false,
"confirm_downloads": true,

"host": "ftp.mydomain.com",
"user": "user",
"password": "pAsSwOrD9",
"port": "22",

"remote_path": "/{document root}/",

}
[/code]

The moment you edit and change anything inside this sftp-config.json file it gets uploaded to the document root of the server.[/quote]

You deleted the ignore_regexes setting (wbond.net/sublime_packages/sftp/ … re_regexes), which has the useful value of making sure you don’t upload your config. If you put it back, you’ll be all set!

0 Likes

#16

Thanks. My impression was that whatever I put here overrode the default in the sftp-config.json template.

So I need to use the entire template here and not just the portions I want changed?

0 Likes

#17

[quote=“sme”]Thanks. My impression was that whatever I put here overrode the default in the sftp-config.json template.

So I need to use the entire template here and not just the portions I want changed?[/quote]

The way it is currently implemented, that is correct. I’d be happy to add an enhancement to treat the sftp-config.json as an overlay for the next feature release.

0 Likes

#18

@Wbond: i guess you could add a triple confirmation when you try to upload sftp config file, no matter what are the settings.
Something like:

[quote]Are you sure?
Are you absolutely sure?
Please be sure you wanna do this!
[/quote]

Only after the user response to all of these, you upload the file.

Also, on file save (or sync?) do a quick search (at least in the project root) for sftp config files and show a warning if one is found.

0 Likes

#19

Sorry, but why you need a triple confirmation?

For me and also other developers in our company the current functionality of WBonds SFTP-Plugin works for us in a great way.
We never got in trouble because we didn’t touch the ignore_regexes in case of the sftp-config. Why should we…

In my opinion, it is just a “user” malfunction instead of sftp itself.

0 Likes

#20

Just to avoid

0 Likes

#21

I see - but then you should also avoid to avoid to avoid… This is in my opinion not really user-friendly. But anyhow - its just my viewpoint.

Let us still looking forward into the upcoming release of ST 3 :smile:

0 Likes

#22

I also support a triple-check for uploading the config itself. The issue sme experienced is, I think, in no way his/her fault - the rest of Sublime Text’s configuration system works by using the config files as a layer over safe defaults, and that was a perfectly understandable mistake to make. Anyway, wbond: would it be possible for each sftp-config.json to check whether or not it has a copy of itself on the server, perhaps during the routine check against the server that individual files do when opened? It’s very likely that it would be mirrored to the same remote directory, so could probably safely just check one folder. Even just once every day or something would be a great safety net.

Anyway, fantastic work with the plugin! I use it countless times a day for work and it always functions beautifully.

0 Likes

#23

[quote=“wbond”]
*] Stop using the SFTP package until the next version comes out[/list][/quote]

When will be released next major version?

0 Likes