Page MenuHomePhabricator
Create Task
Maniphest T314135

OAuth credentials of Cradle tool are world-readable on Toolforge
Closed, ResolvedPublicSecurity
Actions

Description

lucaswerkmeister-wmde@tools-sgebastion-10:~$ ls -l ~tools.cradle/oauth.ini
-rw-r--r-- 1 tools.cradle tools.cradle 132 Jun 21  2020 /data/project/cradle/oauth.ini
lucaswerkmeister-wmde@tools-sgebastion-10:~$ cat ~tools.cradle/oauth.ini
[settings]
agent = cradle
consumerKey = 53acb74957ae0127da32a89d2f99bf02
consumerSecret = [REDACTED]

This consumer should be revoked immediately, since its credentials have been effectively public to all other Toolforge users for two years. Afterwards, @Magnus can make a private copy of the file (install -m600 oauth.ini oauth.ini.new), request and approve a new OAuth consumer, put its credentials in there, the overwrite the old file with the new one. (Don’t just chmod the old file – file permissions are checked when opening a file, not when reading from it, so chmod’ing an existing file doesn’t prevent users who already have an open file description for it from reading new information.)

Details

Risk Rating
High
Author Affiliation
Wikimedia Deutschland

Related Objects

Event Timeline

Lucas_Werkmeister_WMDE created this task.Jul 29 2022, 11:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 29 2022, 11:53 AM
Lucas_Werkmeister_WMDE added projects: Toolforge, Vuln-Infoleak.Jul 29 2022, 11:53 AM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Aug 1 2022, 4:18 PM
taavi edited projects, added Tools, Toolforge-standards-committee; removed Toolforge.Aug 5 2022, 3:28 PM
Lucas_Werkmeister_WMDE added a subscriber: LucasWerkmeister.Mar 23 2023, 10:11 PM

CCing @LucasWerkmeister so I can do something about this – I have Toolforge root as a volunteer (gained two months after this task was filed, see T314527) but security issue access only as staff lol

LucasWerkmeister added a comment.Mar 23 2023, 10:13 PM

I chmoded the file.

lucaswerkmeister@tools-sgebastion-10:~$ ls -l ~tools.cradle/oauth.ini
-rw-r--r-- 1 tools.cradle tools.cradle 132 Jun 21  2020 /data/project/cradle/oauth.ini
lucaswerkmeister@tools-sgebastion-10:~$ sudo chmod go-rwx ~tools.cradle/oauth.ini # T314135
lucaswerkmeister@tools-sgebastion-10:~$ ls -l ~tools.cradle/oauth.ini
-rw------- 1 tools.cradle tools.cradle 132 Jun 21  2020 /data/project/cradle/oauth.ini

This doesn’t change the fact that the consumer was world-readable for almost three years, so it should still be revoked and replaced. But at least the file is no longer readable now.

Magnus added a comment.Mar 24 2023, 5:00 PM

Thanks, I'll replace it when I get a chance

Quiddity moved this task from Incoming to Privacy / Other cleanup on the Toolforge-standards-committee board.Jun 25 2023, 3:22 PM
JJMC89 closed this task as Resolved.Nov 4 2024, 4:56 AM
JJMC89 claimed this task.
JJMC89 subscribed.

I've disabled the consumer since Magnus did not take the necessary action.

LucasWerkmeister added a comment.Dec 2 2024, 12:54 AM

I think we can make this task public, by the way? (Users are starting to ask why the tool is broken, and AFAIK Magnus is the only one who can fix it.)

Magnus added a comment.Dec 2 2024, 8:51 AM

Fixed now.

sbassett triaged this task as High priority.Dec 2 2024, 4:48 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to High.
LucasWerkmeister added a comment.Dec 2 2024, 6:16 PM
In T314135#10370162, @Magnus wrote:

Fixed now.

Great, thanks!

PKM subscribed.Dec 3 2024, 2:48 AM

Thanks, all!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits