Page MenuHomePhabricator

cabalbot oauth consumer secret publicly visible
Closed, ResolvedPublicSecurity

Description

https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/b63c6b6b661a975081e28feb6ed75d9f is an approved oauth consumer. It is possible to view the secret.

zabe@tools-sgebastion-07:~$ cat /data/project/cabalbot/www/python/src/config.yaml 
GREETING: Welcome to CabalBot's SAM plugin login page.
SECRET_KEY: $(python -c "import os; print repr(os.urandom(24))")
OAUTH_MWURI: https://meta.wikimedia.org/w/index.php
CONSUMER_KEY: b63c6b6b661a975081e28feb6ed75d9f
CONSUMER_SECRET: e2e0a39c43381ef2dd8becd6c76b0b08004238d9
zabe@tools-sgebastion-07:~$

Details

Risk Rating
High
Author Affiliation
Wikimedia Communities

Event Timeline

taavi subscribed.

Raising priority due to the sensitive grants on that consumer which seems to be shipping those credentials into some offsite application (@Operator873, can you please not self-approve such consumers?).

Zabe changed Risk Rating from N/A to High.Apr 18 2022, 5:16 PM

removed until someone can advise how to have these in place without being visible. This was created following the guide.

removed until someone can advise how to have these in place without being visible.

You need to change the mode of the config file to not allow others to see it, doing chmod 0600 should do the trick.

zabe@tools-sgebastion-10:~$ cat /data/project/zabe-test/testconfig.yaml 
some secret
zabe@tools-sgebastion-10:~$ become zabe-test
tools.zabe-test@tools-sgebastion-10:~$ chmod 0600 testconfig.yaml 
tools.zabe-test@tools-sgebastion-10:~$ exit
logout
zabe@tools-sgebastion-10:~$ cat /data/project/zabe-test/testconfig.yaml 
cat: /data/project/zabe-test/testconfig.yaml: Permission denied
zabe@tools-sgebastion-10:~$

But you should generate a new consumer anyway, since you can't be sure that it hasn't been compromised.

Edit: chmod 600 does work, but should not be used for new tools, see T286416#7862577

This was created following the guide.

Maybe that needs some updating.

@Zabe Thank you and I'll be doing precisely that update to the guide. In the meantime, the consumer has been disabled and, if I decide to go this path again, will be correctly permissioned. Thank you for finding it. @Majavah Messaged you offline.

The consumer has been disabled, the key/secret removed from the file, and the plugin on the bot itself completely disabled. I hesitate to alter the status of this ticket myself so will allow others to verify my claims and adjust status as needed.

Zabe closed this task as Resolved.EditedApr 18 2022, 11:54 PM
Zabe added a subscriber: sbassett.

@Zabe Thank you and I'll be doing precisely that update to the guide. In the meantime, the consumer has been disabled and, if I decide to go this path again, will be correctly permissioned. Thank you for finding it. @Majavah Messaged you offline.

Actually undid the documentation change per T286416#7862577.

The consumer has been disabled, the key/secret removed from the file, and the plugin on the bot itself completely disabled. I hesitate to alter the status of this ticket myself so will allow others to verify my claims and adjust status as needed.

Should be fine to close.

@sbassett could you make this public?

The consumer has been disabled, the key/secret removed from the file, and the plugin on the bot itself completely disabled. I hesitate to alter the status of this ticket myself so will allow others to verify my claims and adjust status as needed.

I can verify the config is gone:

sbassett@tools-sgebastion-07:~$ cat /data/project/cabalbot/www/python/src/config.yaml 
cat: /data/project/cabalbot/www/python/src/config.yaml: No such file or directory

And the consumer is currently disabled: https://meta.wikimedia.org/w/index.php?title=Special:Log&logid=47890753

So I think that should be good enough.

@sbassett could you make this public?

Yes, I will do that now.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 19 2022, 3:04 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".