I noticed there are a lot of world-readable www/python/src/config.yaml files in tool home directories. (This is the standard configuration file path for Flask-based tools following the Wikitech guide and/or cookiecutter-toolforge.) 21 of them seem to contain a secret key (Flask’s way of protecting the session cookie against tampering) and/or OAuth credentials.
lucaswerkmeister@tools-sgebastion-07:~$ for file in /data/project/*/www/python/src/config.yaml; do if grep -qi -e secret_key -e oauth "$file" 2>/dev/null; then printf '%s\n' "$file"; fi; done /data/project/brazilianlaws/www/python/src/config.yaml /data/project/clpo13-flask/www/python/src/config.yaml /data/project/funpedia/www/python/src/config.yaml /data/project/glam2commons/www/python/src/config.yaml /data/project/image-annotator/www/python/src/config.yaml /data/project/ipwatcher/www/python/src/config.yaml /data/project/k8s-status/www/python/src/config.yaml /data/project/massmailer/www/python/src/config.yaml /data/project/qrcode-generator/www/python/src/config.yaml /data/project/sibutest/www/python/src/config.yaml /data/project/toolviews/www/python/src/config.yaml /data/project/tsbot/www/python/src/config.yaml /data/project/visualcategories/www/python/src/config.yaml /data/project/wdbeoupdate/www/python/src/config.yaml /data/project/wikibrasoes/www/python/src/config.yaml /data/project/wikifile-transfer/www/python/src/config.yaml /data/project/wikimarcas/www/python/src/config.yaml /data/project/wikimotivos/www/python/src/config.yaml /data/project/wikiquantos/www/python/src/config.yaml /data/project/wikiroupas/www/python/src/config.yaml /data/project/wikiusos/www/python/src/config.yaml
(Specifically, 19 files match SECRET_KEY, and 19 match OAuth case-insensitively, and these sets mostly but not entirely overlap. Also, until a few hours ago, Wikidata Lexeme Forms was another one of these tools, see T286414.)
These should probably all be only user-accessible (chmod 600).
Affected tools
- brazilianlaws T286416#7207604
- clpo13-flask
- funpedia
- glam2commons
- image-annotator
- ipwatcher
- k8s-status (SECRET_KEY only)
- massmailer
- qrcode-generator
- sibutest
- toolviews (SECRET_KEY only)
- tsbot
- visualcategories
- wdbeoupdate (test tool)
- wikibrasoes T286416#7207604
- wikifile-transfer
- wikimarcas T286416#7207604
- wikimotivos T286416#7207604
- wikiquantos T286416#7207604
- wikiroupas T286416#7207604
- wikiusos T286416#7207604