Page MenuHomePhabricator
Create Task
Maniphest T286411

ISA tool configuration is public
Closed, ResolvedPublicSecurity
Actions

Description

I’ve noticed that the configuration of ISA on Toolforge is public / world-readable:

lucaswerkmeister@tools-sgebastion-07:~$ ls -l ~tools.isa/www/python/src/isa/config.yaml
-rw-rw-rw- 1 tools.isa tools.isa 404 Aug  1  2019 /data/project/isa/www/python/src/isa/config.yaml
lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.isa/www/python/src/isa/config.yaml
SECRET_KEY: TheSecretKeyIsWeirdButNotAHugeIssue
SQLALCHEMY_DATABASE_URI: 'mysql+pymysql://s54010:ThisPasswordShouldNotBePublic@clouddb1001/s54010__isa'
OAUTH_MWURI: https://meta.wikimedia.org/w/index.php
OAUTh_EDIT_URI: https://test-commons.wikimedia.org/w/api.php
CONSUMER_KEY: 782e467d43afe9f47ab8c0a9670bde48
CONSUMER_SECRET: NorShouldThisConsumerSecret
SQLALCHEMY_POOL_RECYCLE: 90

This includes the ToolsDB password and the secret key of the OAuth consumer. (Also, the file is even world-writable? But the fact that it’s readable is definitely the bigger issue, in my opinion.)

There’s also an older version of the file, with the same database password but a different OAuth consumer (which only has basic access, but is also still approved):

lucaswerkmeister@tools-sgebastion-07:~$ ls -l ~tools.isa/www/python/backup_config.yaml 
-rw-rw-rw- 1 tools.isa tools.isa 305 Jun 25  2019 /data/project/isa/www/python/backup_config.yaml
lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.isa/www/python/backup_config.yaml
SECRET_KEY: TheSecretKeyIsStillWeirdButNotAHugeIssue
SQLALCHEMY_DATABASE_URI: 'mysql://s54010:ThisShouldStillNotBePublic@clouddb1001/s54010__isa'
OAUTH_MWURI: https://meta.wikimedia.org/w/index.php
CONSUMER_KEY: d7b550d86521513cfcb0b10d15089c4d
CONSUMER_SECRET: AndNeitherShouldThisBe

I haven’t found any other version of the config file.

lucaswerkmeister@tools-sgebastion-07:~$ find ~tools.isa/ -name node_modules -prune -or -\( -name '*.yaml' -or -name '*.yml' -\) -type f -print
find: ‘/data/project/isa/.cache’: Permission denied
find: ‘/data/project/isa/.config’: Permission denied
find: ‘/data/project/isa/.ssh’: Permission denied
/data/project/isa/www/python/backup_config.yaml
/data/project/isa/www/python/src/isa/config.yaml

Suggested quickfix:

  • sudo chmod go-rwx ~tools.isa/www/python/src/isa/config.yaml
  • sudo mv ~tools.isa/www/python/backup_config.yaml ~root/T286411__backup_config.yaml
  • disable the old consumer

In the slightly longer term, the ISA developers should probably request and configure a new OAuth consumer, and the old one should be disabled, since any Toolforge user could have stolen its secret in the past two years or so.

Details

Risk Rating
High
Author Affiliation
Wikimedia Deutschland

Related Objects

Event Timeline

LucasWerkmeister created this task.Jul 11 2021, 11:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 11 2021, 11:27 AM
LucasWerkmeister added a project: ISA.Jul 11 2021, 11:27 AM
LucasWerkmeister updated the task description. (Show Details)
LucasWerkmeister added a project: Vuln-Infoleak.Jul 11 2021, 11:50 AM

Tentatively classifying as Vuln-Infoleak, though I’m not certain about that.

LucasWerkmeister added a project: Toolforge.Jul 11 2021, 1:22 PM
LucasWerkmeister added a comment.Jul 11 2021, 5:13 PM

In the slightly longer term, the ISA developers should probably request and configure a new OAuth consumer, and the old one should be disabled, since any Toolforge user could have stolen its secret in the past two years or so.

See T286414: Wikidata Lexeme Forms tool configuration was public for an example of doing this (turns out I made the same mistake in one of my own tools).

Urbanecm added a project: cloud-services-team.Jul 11 2021, 11:22 PM
Urbanecm subscribed.

OAuth consumers disabled; credentials leak should result in rotation. For DB password, cloud-services-team can rotate them. Adding their tag.

Restricted Application edited projects, added cloud-services-team (Kanban); removed cloud-services-team. · View Herald TranscriptJul 11 2021, 11:22 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jul 12 2021, 4:00 PM
sbassett subscribed.
In T286411#7203452, @LucasWerkmeister wrote:

Tentatively classifying as Vuln-Infoleak, though I’m not certain about that.

That's fine and appropriate.

sbassett changed Risk Rating from N/A to High.Jul 12 2021, 8:30 PM
Eugene233 claimed this task.Jul 13 2021, 10:23 AM

Thanks for proposing a fix and for disabling the previous consumer. Could this be closed now @LucasWerkmeister?

Eugene233 moved this task from Backlog to Incoming features on the ISA board.Jul 13 2021, 10:23 AM
Eugene233 moved this task from Incoming features to In progress on the ISA board.
sbassett added a comment.Jul 13 2021, 4:17 PM
In T286411#7208081, @Eugene233 wrote:

Thanks for proposing a fix and for disabling the previous consumer. Could this be closed now @LucasWerkmeister?

I believe this piece, from @Urbanecm's comment above, still needs to be addressed or at least confirmed?

In T286411#7203843, @Urbanecm wrote:

For DB password, cloud-services-team can rotate them.

bd808 moved this task from Inbox to Clinic Duty on the cloud-services-team (Kanban) board.Jul 13 2021, 4:44 PM
bd808 subscribed.Jul 13 2021, 4:50 PM

The tool's wiki replica credentials have been rotated.

Jul 13 14:17:03 labstore1004 systemd[1]: Started Maintain labsdb accounts.
Jul 13 16:48:57 labstore1004 /usr/local/sbin/maintain-dbusers[34031]: Wrote replica.my.cnf for tool tools.isa
sbassett added a comment.Jul 13 2021, 6:37 PM

Thanks, @bd808. I believe this task should be safe to resolve and make public, unless anyone has any objections or sees any PII/sensitive data that I've missed.

Eugene233 added a comment.Jul 15 2021, 11:40 AM
In T286411#7209033, @sbassett wrote:
In T286411#7208081, @Eugene233 wrote:

Thanks for proposing a fix and for disabling the previous consumer. Could this be closed now @LucasWerkmeister?

I believe this piece, from @Urbanecm's comment above, still needs to be addressed or at least confirmed?

In T286411#7203843, @Urbanecm wrote:

For DB password, cloud-services-team can rotate them.

We will be requesting for a new consumer for the application from now. @bd808 I have no objections to this task being marked as resolved.

sbassett closed this task as Resolved.Jul 15 2021, 2:19 PM
sbassett triaged this task as Low priority.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 15 2021, 2:25 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL