Page MenuHomePhabricator

Horizon shows me buttons to do dangerous things on the `tools` project
Closed, ResolvedPublicSecurity

Description

Horizon shows me buttons that look dangerous as a regular Toolforge user (member of the tools project). These buttons include:

Ability to manage security groups:

Ability to manage hiera/puppet config:

Ability to manage server groups:

Ability to manage Cinder volumes:

According to @aborrero permissions for these actions should be checked somewhere else too but it's still worth to double check so I'm filing this task. I haven't tested if I can actually perform these actions.

Event Timeline

Andrew triaged this task as Unbreak Now! priority.

Thank you for the report!

Several upstream policies were renamed and so fell through to the default that allowed any project member access. I've addressed that (and possibly future renamings) in the attached patches; can you please recheck and confirm that you no longer have excessive access in the tools project?

@Andrew I no longer see the sidebar to access tools and most pages seem to not show me anything but by directly navigating to https://horizon.wikimedia.org/project/security_groups/ I do still see buttons to edit security groups. The front page also displays me the list of all instances and clicking on a single instance I do seem to be able to see the syslog of that instance:


I'm not sure if those can contain PII/security-critical information, I'd imagine something like a puppetmaster might have.

To clarify, would it actually have let me perform those actions or would it have been restricted somewhere else?

Thanks for re-checking! I believe the sidebar issue is fixed (probably a moment after you looked.)

The logs are intended to be visible, although whether or not they should be is a reasonable question.

I'm currently investigating the security groups issue -- that is apparently implemented in a totally different way in the upstream code for some reason :(

The security group thing turns out to be an upstream Horizon bug; I've filed there and sent a proposed patch. I've already applied that patch to our install so it should be in effect now. You may need to log out/in again (or switch projects) to refresh your policy view.

Please let me know if you see anything else has fallen through the cracks :(

I don't see anything that looks like dangerous anymore, thanks!

I believe this needs to stay private until upstream https://launchpad.net/bugs/1915308 (which I can't see) is fixed.

Thank you again for the report! I'm going to close this but leave it private until the upstream people decide whether or not they care.

Upstream does not treat this as a security issue, can this task be made public?

Upstream does not treat this as a security issue, can this task be made public?

yep!

Upstream does not treat this as a security issue, can this task be made public?

Done (reviewed for PII/sensitive data).

sbassett lowered the priority of this task from Unbreak Now! to Low.Feb 24 2021, 3:22 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Backlog to Upstream on the Horizon board.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.