You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Evaluate how host key/fingerprint checks are handled.
In SFTP.cs, if Fingerprint is null, “args.CanTrust = true” simply accepts all remote host keys. This may be appropriate for development but is a security risk in production. A better approach is to fail if no fingerprint is given, or store known trusted hosts in a configuration.
Avoid storing secrets in plain text.
The “Client” class holds username/password. For larger/production-grade scenarios, consider using a secret store, environment variables, or an external vault.
Is there an existing issue for this?
Proposal
Evaluate how host key/fingerprint checks are handled.
SFTP.cs, ifFingerprintisnull, “args.CanTrust = true” simply accepts all remote host keys. This may be appropriate for development but is a security risk in production. A better approach is to fail if no fingerprint is given, or store known trusted hosts in a configuration.Avoid storing secrets in plain text.
Client” class holds username/password. For larger/production-grade scenarios, consider using a secret store, environment variables, or an external vault.