Short Summary of the Bug
The esignet-with-plugins deployment script injects MOSIP_ESIGNET_CAPTCHA_REQUIRED and the captcha site-key env var with empty string values when the esignet-captcha secret is absent. As a result, captcha is effectively disabled by default on a fresh deployment. The two captcha env-var branches also use inconsistent variable names.
Description
In deploy/esignet-with-plugins/install.sh, the captcha environment variables are conditionally set based on whether the esignet-captcha Kubernetes secret exists. In the else branch (secret not found), the script appends the captcha variables with empty values:
else
extra_env_vars_additional+=" - name: "MOSIP_ESIGNET_CAPTCHA_REQUIRED""$'\n'
extra_env_vars_additional+=" value: """$'\n'
extra_env_vars_additional+=" - name: "MOSIP_ESIGNET_CAPTCHA_SITE-KEY""$'\n'
extra_env_vars_additional+=" value: """$'\n'
fi
Because MOSIP_ESIGNET_CAPTCHA_REQUIRED is set to an empty string, captcha enforcement is effectively turned off by default for any deployment that does not already have the esignet-captcha secret in place. A security-relevant control ends up disabled silently, without the operator explicitly opting out.
Secondary issue — inconsistent env var name
The captcha site-key variable is named differently across the two branches:
When the secret exists (if branch): MOSIP_ESIGNET_CAPTCHA_SITE_KEY (underscore)
When the secret is absent (else branch): MOSIP_ESIGNET_CAPTCHA_SITE-KEY (hyphen)
Location
deploy/esignet-with-plugins/install.sh — captcha env-var block (the if kubectl get secret esignet-captcha ... / else conditional)
https://github.com/mosip/esignet/blob/v1.8.0/deploy/esignet-with-plugins/install.sh
Affected env vars
- name: MOSIP_ESIGNET_CAPTCHA_REQUIRED # set to ""
- name: MOSIP_ESIGNET_CAPTCHA_SITE-KEY # set to "" (also inconsistently named vs. the if-branch)
Attachments / Evidence / Links
No response
Short Summary of the Bug
The esignet-with-plugins deployment script injects MOSIP_ESIGNET_CAPTCHA_REQUIRED and the captcha site-key env var with empty string values when the esignet-captcha secret is absent. As a result, captcha is effectively disabled by default on a fresh deployment. The two captcha env-var branches also use inconsistent variable names.
Description
In deploy/esignet-with-plugins/install.sh, the captcha environment variables are conditionally set based on whether the esignet-captcha Kubernetes secret exists. In the else branch (secret not found), the script appends the captcha variables with empty values:
else
extra_env_vars_additional+=" - name: "MOSIP_ESIGNET_CAPTCHA_REQUIRED""$'\n'
extra_env_vars_additional+=" value: """$'\n'
extra_env_vars_additional+=" - name: "MOSIP_ESIGNET_CAPTCHA_SITE-KEY""$'\n'
extra_env_vars_additional+=" value: """$'\n'
fi
Because MOSIP_ESIGNET_CAPTCHA_REQUIRED is set to an empty string, captcha enforcement is effectively turned off by default for any deployment that does not already have the esignet-captcha secret in place. A security-relevant control ends up disabled silently, without the operator explicitly opting out.
Secondary issue — inconsistent env var name
The captcha site-key variable is named differently across the two branches:
When the secret exists (if branch): MOSIP_ESIGNET_CAPTCHA_SITE_KEY (underscore)
When the secret is absent (else branch): MOSIP_ESIGNET_CAPTCHA_SITE-KEY (hyphen)
Location
deploy/esignet-with-plugins/install.sh — captcha env-var block (the if kubectl get secret esignet-captcha ... / else conditional)
https://github.com/mosip/esignet/blob/v1.8.0/deploy/esignet-with-plugins/install.sh
Affected env vars
Attachments / Evidence / Links
No response