[CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?

Adrià Mercader adria.mercader at okfn.org
Thu Jun 27 07:58:25 UTC 2019


---------- Forwarded message ---------
From: Eric Soroos <eric at derilinx.com>
Date: Wed, 26 Jun 2019 at 13:02
Subject: Re: Upcoming CKAN release -- Security patches?
To: Adrià Mercader <adria.mercader at okfn.org>


Adrià,

Thanks for getting back to me.  Since the initial email went out, I've
realized that this is perhaps a bit more dangerous than I realized.

If someone can find an XSS vulnerability or CORS misconfiguration in a
CKAN install, then this is the only additional step to a full
compromise. I know that there's been one XSS bug in the past, and
given the plugin landscape, I'm certain that there are others out
there, even if CKAN core is fine.

My experience in other open source communities is that this is a good
candidate for an embargoed release, as it's trivially exploitable if
someone has one other bug in their pocket. I realize that this is a
hard issue to do in a point release, as it intentionally breaks some
backwards compatibility, but having a patch and a plan is far
preferable to not having a patch and having the security issue leak
anyway.

FWIW, this is the hotfix patch that I'm using, It appears to be good
for my uses.  It fixes the basic leak, but doesn't go any farther.

diff --git a/ckan/ckan/lib/dictization/model_dictize.py
b/ckan/ckan/lib/dictization/model_dictize.py
index 9acb150..44e1eda 100644
--- a/ckan/ckan/lib/dictization/model_dictize.py
+++ b/ckan/ckan/lib/dictization/model_dictize.py
@@ -577,16 +577,11 @@ def user_dictize(user, context,
include_password_hash=False):
         result_dict['apikey'] = apikey



     if requester == user.name:
-        result_dict['apikey'] = apikey
         result_dict['email'] = email



     if authz.is_sysadmin(requester):
-        result_dict['apikey'] = apikey
         result_dict['email'] = email



-        if include_password_hash:
-            result_dict['password_hash'] = password_hash
-
     model = context['model']
     session = model.Session



diff --git a/ckan/ckanext/datapusher/logic/action.py
b/ckan/ckanext/datapusher/logic/action.py
index b530273..da6bf54 100644
--- a/ckan/ckanext/datapusher/logic/action.py
+++ b/ckan/ckanext/datapusher/logic/action.py
@@ -64,6 +64,7 @@ def datapusher_submit(context, data_dict):
     site_url = h.url_for('/', qualified=True)
     callback_url = h.url_for('/api/3/action/datapusher_hook', qualified=True)



+    context['keep_apikey'] = True
     user = p.toolkit.get_action('user_show')(context, {'id': context['user']})



     for plugin in p.PluginImplementations(interfaces.IDataPusher):


eric


On Jun 26, 2019, at 11:10 AM, Adrià Mercader <adria.mercader at okfn.org> wrote:

Hi Eric,

Thanks for reaching out, and many apologies that we didn't get back to
you on your original email. I don't know what happened but we
obviously failed to respond adequately.

The upcoming patch releases doesn't contain any API key related
changes. You raise some very valid points in your email and there have
been discussions around API key management refactoring for a while but
due to limited resources we haven't been able to work on that front.
Perhaps your employer can help fund work on this?

We can discuss the issue and come up with an implementation plan on
the next dev meeting (https://hack.allmende.io/ckan-meeting#) You are
more than welcome to join and discuss the issue with the tech team and
others (meetings are open to everyone)

Best,


Adrià

On Wed, 26 Jun 2019 at 11:51, Eric Soroos <eric at derilinx.com> wrote:


Hi Adrià,

I was wondering if you could tell me if the security issue that I
raised on the security at ckan.org list on May 29 is going to be patched
in the upcoming point releases?

I haven't heard anything back from the CKAN org, and I'm worried about this one.

Thanks

eric

Eric Soroos, Senior Developer
Derilinx - Linked & Open Data Solutions

Web: www.derilinx.com
Email: eric at derilinx.com
Address: 11/12 Baggot Court, Dublin 2, D02 F891
Tel: +353 (0)1 254 4316
Mob: +353 (0)83 8730257
Twitter: @derilinx


Eric Soroos, Senior Developer
Derilinx - Linked & Open Data Solutions

Web: www.derilinx.com
Email: eric at derilinx.com
Address: 11/12 Baggot Court, Dublin 2, D02 F891
Tel: +353 (0)1 254 4316
Mob: +353 (0)83 8730257
Twitter: @derilinx



More information about the Security mailing list