Secure Jam.py ?
113 views
Skip to first unread message
Andreas Schneider
Aug 10, 2023, 8:38:24 PM8/10/23
to Jam.py Users Mailing List
I want to develop a jam app that securely stores very important data. Web access takes place via password and 2FA.
Database is a PostgresSQL with TDE (Transparent Data Encryption) (other server only reachable via dedicated network from app server
I assume that the web application server will be hacked in sometime
My main problem is that the admin.sqlite stores the password for the database connection in plain text.
Dean D. Babic
Aug 10, 2023, 9:43:55 PM8/10/23
to Jam.py Users Mailing List
Hi,
I was thinking to try SQLChiper with admin.sqlite but did not have time.
Basically, you could encrypt everything in admin without much overhead.
If the builder is not accessible, then one can't see the DB password even with sqlite access.
If the builder is not accessible, then one can't see the DB password even with sqlite access.
The encryption key could be sourced from the environment variable.
Regards
D.
Andrew Yushev
Aug 12, 2023, 6:01:29 AM8/12/23
to Dean D. Babic, Jam.py Users Mailing List
You can store users password hash in a separate table.
пт, 11 авг. 2023 г. в 04:43, Dean D. Babic <bab...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Jam.py Users Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jam-py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jam-py/6322efdb-7c41-4905-855e-38b4fbdf12e7n%40googlegroups.com.
yush...@gmail.com
Aug 12, 2023, 7:28:15 AM8/12/23
to Jam.py Users Mailing List
And you can add an empty builder.html file to the project root folder to disable the builder
суббота, 12 августа 2023 г. в 13:01:29 UTC+3, yush...@gmail.com:
Dean D. Babic
Aug 15, 2023, 3:02:54 AM8/15/23
to Jam.py Users Mailing List
Hi Andrew,
I propose this:
Which makes DB password hidden:
Dean D. Babic
Aug 16, 2023, 3:01:28 AM8/16/23
to Jam.py Users Mailing List
Hi,
function on_edit_form_shown(item) {
$('input.f_password').prop("type", "password");
}
function on_field_get_text(field) {
var item = field.owner;
if (field.field_name === 'f_password') {
if (item.id.value || field.value) {
return '**********';
}
}
}
Will give:
Exactly the same method can be used for Builder/sys_users :
function on_edit_form_shown(item) {
$('input.f_password').prop("type", "password");
}
function on_field_get_text(field) {
var item = field.owner;
if (field.field_name === 'f_password') {
if (item.id.value || field.value) {
return '**********';
}
}
}
Will give:
Message has been deleted
Dean D. Babic
Aug 29, 2023, 12:45:48 AM8/29/23
to Jam.py Users Mailing List
2FA for builder might be added like from here:
EKuzmin
Jun 23, 2025, 11:54:06 AM6/23/25
to Jam.py Users Mailing List
Hi,
I have a similar showstopper — the passwords in the admin.sqlite database are stored in plain text. Hiding the builder is not a real solution. Our pentester was able to obtain this file and extract the passwords without using the builder.
At this point, it's unclear how to properly address this issue.
At this point, it's unclear how to properly address this issue.
среда, 16 августа 2023 г. в 09:01:28 UTC+2, Dean D. Babic:
Dean D. Babic
Jun 23, 2025, 9:46:41 PM6/23/25
to Jam.py Users Mailing List
Hi,
The pen tester has access to the server, and the ability to inspect the SQlite file.
Heaps of pen testing is based on this premise.
Django is the same, hiding the admin panel.
I'm more then happy to accept the pull request with the developed solution.
Here is the question before doing it:
- how is anyone accessing the builder if the password is lost?
You could encrypt admin.sqlite database, it's easy to add this to Jam.py:
Reply all
Reply to author
Forward
0 new messages