Page MenuHomePhabricator

ISA tool configuration is public
Closed, ResolvedPublicSecurity

Description

I’ve noticed that the configuration of ISA on Toolforge is public / world-readable:

lucaswerkmeister@tools-sgebastion-07:~$ ls -l ~tools.isa/www/python/src/isa/config.yaml
-rw-rw-rw- 1 tools.isa tools.isa 404 Aug  1  2019 /data/project/isa/www/python/src/isa/config.yaml
lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.isa/www/python/src/isa/config.yaml
SECRET_KEY: TheSecretKeyIsWeirdButNotAHugeIssue
SQLALCHEMY_DATABASE_URI: 'mysql+pymysql://s54010:ThisPasswordShouldNotBePublic@clouddb1001/s54010__isa'
OAUTH_MWURI: https://meta.wikimedia.org/w/index.php
OAUTh_EDIT_URI: https://test-commons.wikimedia.org/w/api.php
CONSUMER_KEY: 782e467d43afe9f47ab8c0a9670bde48
CONSUMER_SECRET: NorShouldThisConsumerSecret
SQLALCHEMY_POOL_RECYCLE: 90

This includes the ToolsDB password and the secret key of the OAuth consumer. (Also, the file is even world-writable? But the fact that it’s readable is definitely the bigger issue, in my opinion.)

There’s also an older version of the file, with the same database password but a different OAuth consumer (which only has basic access, but is also still approved):

lucaswerkmeister@tools-sgebastion-07:~$ ls -l ~tools.isa/www/python/backup_config.yaml 
-rw-rw-rw- 1 tools.isa tools.isa 305 Jun 25  2019 /data/project/isa/www/python/backup_config.yaml
lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.isa/www/python/backup_config.yaml
SECRET_KEY: TheSecretKeyIsStillWeirdButNotAHugeIssue
SQLALCHEMY_DATABASE_URI: 'mysql://s54010:ThisShouldStillNotBePublic@clouddb1001/s54010__isa'
OAUTH_MWURI: https://meta.wikimedia.org/w/index.php
CONSUMER_KEY: d7b550d86521513cfcb0b10d15089c4d
CONSUMER_SECRET: AndNeitherShouldThisBe

I haven’t found any other version of the config file.

lucaswerkmeister@tools-sgebastion-07:~$ find ~tools.isa/ -name node_modules -prune -or -\( -name '*.yaml' -or -name '*.yml' -\) -type f -print
find: ‘/data/project/isa/.cache’: Permission denied
find: ‘/data/project/isa/.config’: Permission denied
find: ‘/data/project/isa/.ssh’: Permission denied
/data/project/isa/www/python/backup_config.yaml
/data/project/isa/www/python/src/isa/config.yaml

Suggested quickfix:

  • sudo chmod go-rwx ~tools.isa/www/python/src/isa/config.yaml
  • sudo mv ~tools.isa/www/python/backup_config.yaml ~root/T286411__backup_config.yaml
  • disable the old consumer

In the slightly longer term, the ISA developers should probably request and configure a new OAuth consumer, and the old one should be disabled, since any Toolforge user could have stolen its secret in the past two years or so.

Details

Risk Rating
High
Author Affiliation
Wikimedia Deutschland

Event Timeline

Tentatively classifying as Vuln-Infoleak, though I’m not certain about that.

In the slightly longer term, the ISA developers should probably request and configure a new OAuth consumer, and the old one should be disabled, since any Toolforge user could have stolen its secret in the past two years or so.

See T286414: Wikidata Lexeme Forms tool configuration was public for an example of doing this (turns out I made the same mistake in one of my own tools).

Urbanecm added a subscriber: Urbanecm.

OAuth consumers disabled; credentials leak should result in rotation. For DB password, cloud-services-team can rotate them. Adding their tag.

sbassett added a subscriber: sbassett.

Tentatively classifying as Vuln-Infoleak, though I’m not certain about that.

That's fine and appropriate.

sbassett changed Risk Rating from N/A to High.Jul 12 2021, 8:30 PM

Thanks for proposing a fix and for disabling the previous consumer. Could this be closed now @LucasWerkmeister?

Thanks for proposing a fix and for disabling the previous consumer. Could this be closed now @LucasWerkmeister?

I believe this piece, from @Urbanecm's comment above, still needs to be addressed or at least confirmed?

For DB password, cloud-services-team can rotate them.

The tool's wiki replica credentials have been rotated.

Jul 13 14:17:03 labstore1004 systemd[1]: Started Maintain labsdb accounts.
Jul 13 16:48:57 labstore1004 /usr/local/sbin/maintain-dbusers[34031]: Wrote replica.my.cnf for tool tools.isa

Thanks, @bd808. I believe this task should be safe to resolve and make public, unless anyone has any objections or sees any PII/sensitive data that I've missed.

Thanks for proposing a fix and for disabling the previous consumer. Could this be closed now @LucasWerkmeister?

I believe this piece, from @Urbanecm's comment above, still needs to be addressed or at least confirmed?

For DB password, cloud-services-team can rotate them.

We will be requesting for a new consumer for the application from now. @bd808 I have no objections to this task being marked as resolved.

sbassett triaged this task as Low priority.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 15 2021, 2:25 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".