[CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?

• Previous message: [CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?
• Next message: [CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How does this fix work if we're still showing the apikey on the user's
profile page? IIUC we'd have to disable that page too.

On Thu, Jun 27, 2019 at 3:58 AM Adrià Mercader <adria.mercader at okfn.org> wrote:
>
> ---------- Forwarded message ---------
> From: Eric Soroos <eric at derilinx.com>
> Date: Wed, 26 Jun 2019 at 13:02
> Subject: Re: Upcoming CKAN release -- Security patches?
> To: Adrià Mercader <adria.mercader at okfn.org>
>
>
> Adrià,
>
> Thanks for getting back to me.  Since the initial email went out, I've
> realized that this is perhaps a bit more dangerous than I realized.
>
> If someone can find an XSS vulnerability or CORS misconfiguration in a
> CKAN install, then this is the only additional step to a full
> compromise. I know that there's been one XSS bug in the past, and
> given the plugin landscape, I'm certain that there are others out
> there, even if CKAN core is fine.
>
> My experience in other open source communities is that this is a good
> candidate for an embargoed release, as it's trivially exploitable if
> someone has one other bug in their pocket. I realize that this is a
> hard issue to do in a point release, as it intentionally breaks some
> backwards compatibility, but having a patch and a plan is far
> preferable to not having a patch and having the security issue leak
> anyway.
>
> FWIW, this is the hotfix patch that I'm using, It appears to be good
> for my uses.  It fixes the basic leak, but doesn't go any farther.
>
> diff --git a/ckan/ckan/lib/dictization/model_dictize.py
> b/ckan/ckan/lib/dictization/model_dictize.py
> index 9acb150..44e1eda 100644
> --- a/ckan/ckan/lib/dictization/model_dictize.py
> +++ b/ckan/ckan/lib/dictization/model_dictize.py
> @@ -577,16 +577,11 @@ def user_dictize(user, context,
> include_password_hash=False):
>          result_dict['apikey'] = apikey
>
>
>
>      if requester == user.name:
> -        result_dict['apikey'] = apikey
>          result_dict['email'] = email
>
>
>
>      if authz.is_sysadmin(requester):
> -        result_dict['apikey'] = apikey
>          result_dict['email'] = email
>
>
>
> -        if include_password_hash:
> -            result_dict['password_hash'] = password_hash
> -
>      model = context['model']
>      session = model.Session
>
>
>
> diff --git a/ckan/ckanext/datapusher/logic/action.py
> b/ckan/ckanext/datapusher/logic/action.py
> index b530273..da6bf54 100644
> --- a/ckan/ckanext/datapusher/logic/action.py
> +++ b/ckan/ckanext/datapusher/logic/action.py
> @@ -64,6 +64,7 @@ def datapusher_submit(context, data_dict):
>      site_url = h.url_for('/', qualified=True)
>      callback_url = h.url_for('/api/3/action/datapusher_hook', qualified=True)
>
>
>
> +    context['keep_apikey'] = True
>      user = p.toolkit.get_action('user_show')(context, {'id': context['user']})
>
>
>
>      for plugin in p.PluginImplementations(interfaces.IDataPusher):
>
>
> eric
>
>
> On Jun 26, 2019, at 11:10 AM, Adrià Mercader <adria.mercader at okfn.org> wrote:
>
> Hi Eric,
>
> Thanks for reaching out, and many apologies that we didn't get back to
> you on your original email. I don't know what happened but we
> obviously failed to respond adequately.
>
> The upcoming patch releases doesn't contain any API key related
> changes. You raise some very valid points in your email and there have
> been discussions around API key management refactoring for a while but
> due to limited resources we haven't been able to work on that front.
> Perhaps your employer can help fund work on this?
>
> We can discuss the issue and come up with an implementation plan on
> the next dev meeting (https://hack.allmende.io/ckan-meeting#) You are
> more than welcome to join and discuss the issue with the tech team and
> others (meetings are open to everyone)
>
> Best,
>
>
> Adrià
>
> On Wed, 26 Jun 2019 at 11:51, Eric Soroos <eric at derilinx.com> wrote:
>
>
> Hi Adrià,
>
> I was wondering if you could tell me if the security issue that I
> raised on the security at ckan.org list on May 29 is going to be patched
> in the upcoming point releases?
>
> I haven't heard anything back from the CKAN org, and I'm worried about this one.
>
> Thanks
>
> eric
>
> Eric Soroos, Senior Developer
> Derilinx - Linked & Open Data Solutions
>
> Web: www.derilinx.com
> Email: eric at derilinx.com
> Address: 11/12 Baggot Court, Dublin 2, D02 F891
> Tel: +353 (0)1 254 4316
> Mob: +353 (0)83 8730257
> Twitter: @derilinx
>
>
> Eric Soroos, Senior Developer
> Derilinx - Linked & Open Data Solutions
>
> Web: www.derilinx.com
> Email: eric at derilinx.com
> Address: 11/12 Baggot Court, Dublin 2, D02 F891
> Tel: +353 (0)1 254 4316
> Mob: +353 (0)83 8730257
> Twitter: @derilinx
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security

• Previous message: [CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?
• Next message: [CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]