Page MenuHomePhabricator
Create Task
Maniphest T286724

notwikilambda pygments server allows revealing secrets
Closed, ResolvedPublicSecurity
Actions

Description

The notwikilambda pygments server set up in T283754: Request increased quota for notwikilambda Toolforge tool allows any Toolforge tool account to read any file as tools.notwikilambda:

[tools.majavah-bot@tools-sgebastion-08 ~] $ webservice shell
[tools.majavah-bot@interactive ~] $ curl -X POST http://pygments-server.tool-notwikilambda.svc:7879?args=..%2F..%2F..%2Fpublic_html%2Fw%2FPrivateSettings.php
<?php
# This file contains the MediaWiki settings that should not be public.
# (It is manually edited.)
[... actual secrets removed...]

The fix here is to use Kubernetes network policies to limit incoming traffic to the pygments server service.

Details

Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

taavi created this task.Jul 15 2021, 2:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2021, 2:38 PM
taavi added projects: Tools, Vuln-Infoleak.Jul 15 2021, 2:38 PM
LucasWerkmeister added a comment.Jul 15 2021, 5:27 PM

The fix here is to use Kubernetes network policies to limit incoming traffic to the pygments server service.

That sounds fine, but surely there’s no reason to mount those secrets into the container in the first place? Then it wouldn’t matter who can access it.

LucasWerkmeister added a comment.Jul 15 2021, 5:55 PM

Mentioned in SAL (#wikimedia-cloud) [2021-07-15T17:53:00Z] <wm-bot> <lucaswerkmeister> only mount ~/www/python into pygments-server pod (T286724)

taavi added a comment.Jul 15 2021, 5:56 PM
In T286724#7215666, @LucasWerkmeister wrote:

That sounds fine, but surely there’s no reason to mount those secrets into the container in the first place? Then it wouldn’t matter who can access it.

That works too, as long as you make sure Kubernetes does not mount your service account to the pod on /var/run/secrets: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server. That also applies to function-evaluator. If you want to be extra safe you could do both.

LucasWerkmeister added a comment.Jul 15 2021, 6:17 PM

Ugh, you’re right.

tools.lexeme-forms@interactive:~$ ~tools.notwikilambda/www/python/src/pygmentize /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -l sh </dev/null
-----BEGIN CERTIFICATE-----
REDACTED REDACTED REDACTED
-----END CERTIFICATE-----

Thanks.

LucasWerkmeister added a comment.Jul 15 2021, 6:24 PM

Mentioned in SAL (#wikimedia-cloud) [2021-07-15T18:24:00Z] <wm-bot> <lucaswerkmeister> don’t mount service tokens into pods (T286724)

LucasWerkmeister added a comment.EditedJul 15 2021, 6:25 PM

I thought a generally accessible pygments-server might potentially be useful, but now I don’t feel confident enough anymore that k8s isn’t mounting random stuff elsewhere in the container. Let’s see if I can figure out network policies.

LucasWerkmeister added a comment.Jul 15 2021, 6:50 PM

Mentioned in SAL (#wikimedia-cloud) [2021-07-15T18:49:00Z] <wm-bot> <lucaswerkmeister> block external traffic to internal pods (T286724)

LucasWerkmeister added a comment.Jul 15 2021, 6:52 PM

Alright, after a false start where I accidentally took down the wiki by blocking ingress to all pods, including the webservice, I think it’s working now.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy
  namespace: tool-notwikilambda
  labels:
    name: network-policy
spec:
  podSelector:
    matchLabels:
      networking: internal
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: tool-notwikilambda
    # reject all ingress connections from pods in other namespaces

(With networking: internal added to the spec.template.metadata.labels of the four deployments.)

LucasWerkmeister closed this task as Resolved.Jul 15 2021, 6:53 PM
LucasWerkmeister claimed this task.

I think this is fixed; no secrets were revealed in this task, so I think it can be made public too.

sbassett triaged this task as Low priority.Jul 15 2021, 6:54 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
bd808 subscribed.Jul 15 2021, 8:02 PM

The other fix is to do basic validation of the query string input before using it to access files on disk. This is OWASP 101 level stuff.

LucasWerkmeister added a comment.Jul 15 2021, 8:09 PM

The whole point of my pygments-server, as opposed to the other one, is that it doesn’t parse the command line, because that limits the ways in which it can be used. I don’t control Extension:SyntaxHighlight, I don’t know which parts of pygments’ CLI it’ll start to use tomorrow.

Stashbot added a comment.Jul 15 2021, 9:05 PM

Mentioned in SAL (#wikimedia-cloud) [2021-07-15T21:05:40Z] <wm-bot> <lucaswerkmeister> updated pygments-server to 2d4ab81a68 (prevent open(); T286724)

LucasWerkmeister added a comment.Jul 15 2021, 9:07 PM

But as an approximation, I’ve pushed a pygments-server change to override the Python open() function before calling Pygments. It may break if Pygments changes how it reads files, but for now it works as another defense layer (I’ve tested it locally).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL