lib/installers/sqlcmd.js:116 creates sqlcmd users with --password-encryption none, so DB passwords land effectively plaintext (base64) in ~/.sqlcmd/sqlconfig.
Nuance: go-sqlcmd's only alternative (dpapi) is Windows-only, so none may genuinely be the only cross-platform value. If so, the fix is defense-in-depth rather than a flag change:
- Verify/enforce
0600 on ~/.sqlcmd/sqlconfig after context creation (the setup already passes the password via SQLCMD_PASSWORD env rather than argv, which is good — sqlcmd.js:119).
- Document the at-rest limitation in
cli-sqlcmd.md.
- Consider whether stage credentials should live here at all long-term vs. an auth broker.
Related irony: the codebase exports a writeFileSecure helper (lib/shell.js:98-100) that nothing calls.
lib/installers/sqlcmd.js:116creates sqlcmd users with--password-encryption none, so DB passwords land effectively plaintext (base64) in~/.sqlcmd/sqlconfig.Nuance: go-sqlcmd's only alternative (
dpapi) is Windows-only, sononemay genuinely be the only cross-platform value. If so, the fix is defense-in-depth rather than a flag change:0600on~/.sqlcmd/sqlconfigafter context creation (the setup already passes the password viaSQLCMD_PASSWORDenv rather than argv, which is good —sqlcmd.js:119).cli-sqlcmd.md.Related irony: the codebase exports a
writeFileSecurehelper (lib/shell.js:98-100) that nothing calls.