I’ve noticed that the configuration of ISA on Toolforge is public / world-readable:
lucaswerkmeister@tools-sgebastion-07:~$ ls -l ~tools.isa/www/python/src/isa/config.yaml -rw-rw-rw- 1 tools.isa tools.isa 404 Aug 1 2019 /data/project/isa/www/python/src/isa/config.yaml lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.isa/www/python/src/isa/config.yaml SECRET_KEY: TheSecretKeyIsWeirdButNotAHugeIssue SQLALCHEMY_DATABASE_URI: 'mysql+pymysql://s54010:ThisPasswordShouldNotBePublic@clouddb1001/s54010__isa' OAUTH_MWURI: https://meta.wikimedia.org/w/index.php OAUTh_EDIT_URI: https://test-commons.wikimedia.org/w/api.php CONSUMER_KEY: 782e467d43afe9f47ab8c0a9670bde48 CONSUMER_SECRET: NorShouldThisConsumerSecret SQLALCHEMY_POOL_RECYCLE: 90
This includes the ToolsDB password and the secret key of the OAuth consumer. (Also, the file is even world-writable? But the fact that it’s readable is definitely the bigger issue, in my opinion.)
There’s also an older version of the file, with the same database password but a different OAuth consumer (which only has basic access, but is also still approved):
lucaswerkmeister@tools-sgebastion-07:~$ ls -l ~tools.isa/www/python/backup_config.yaml -rw-rw-rw- 1 tools.isa tools.isa 305 Jun 25 2019 /data/project/isa/www/python/backup_config.yaml lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.isa/www/python/backup_config.yaml SECRET_KEY: TheSecretKeyIsStillWeirdButNotAHugeIssue SQLALCHEMY_DATABASE_URI: 'mysql://s54010:ThisShouldStillNotBePublic@clouddb1001/s54010__isa' OAUTH_MWURI: https://meta.wikimedia.org/w/index.php CONSUMER_KEY: d7b550d86521513cfcb0b10d15089c4d CONSUMER_SECRET: AndNeitherShouldThisBe
I haven’t found any other version of the config file.
lucaswerkmeister@tools-sgebastion-07:~$ find ~tools.isa/ -name node_modules -prune -or -\( -name '*.yaml' -or -name '*.yml' -\) -type f -print find: ‘/data/project/isa/.cache’: Permission denied find: ‘/data/project/isa/.config’: Permission denied find: ‘/data/project/isa/.ssh’: Permission denied /data/project/isa/www/python/backup_config.yaml /data/project/isa/www/python/src/isa/config.yaml
Suggested quickfix:
- sudo chmod go-rwx ~tools.isa/www/python/src/isa/config.yaml
- sudo mv ~tools.isa/www/python/backup_config.yaml ~root/T286411__backup_config.yaml
- disable the old consumer
In the slightly longer term, the ISA developers should probably request and configure a new OAuth consumer, and the old one should be disabled, since any Toolforge user could have stolen its secret in the past two years or so.