[CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?
Ian Ward
ian at excess.org
Fri Jun 28 17:15:32 UTC 2019
How does this fix work if we're still showing the apikey on the user's
profile page? IIUC we'd have to disable that page too.
On Thu, Jun 27, 2019 at 3:58 AM Adrià Mercader <adria.mercader at okfn.org> wrote:
>
> ---------- Forwarded message ---------
> From: Eric Soroos <eric at derilinx.com>
> Date: Wed, 26 Jun 2019 at 13:02
> Subject: Re: Upcoming CKAN release -- Security patches?
> To: Adrià Mercader <adria.mercader at okfn.org>
>
>
> Adrià,
>
> Thanks for getting back to me. Since the initial email went out, I've
> realized that this is perhaps a bit more dangerous than I realized.
>
> If someone can find an XSS vulnerability or CORS misconfiguration in a
> CKAN install, then this is the only additional step to a full
> compromise. I know that there's been one XSS bug in the past, and
> given the plugin landscape, I'm certain that there are others out
> there, even if CKAN core is fine.
>
> My experience in other open source communities is that this is a good
> candidate for an embargoed release, as it's trivially exploitable if
> someone has one other bug in their pocket. I realize that this is a
> hard issue to do in a point release, as it intentionally breaks some
> backwards compatibility, but having a patch and a plan is far
> preferable to not having a patch and having the security issue leak
> anyway.
>
> FWIW, this is the hotfix patch that I'm using, It appears to be good
> for my uses. It fixes the basic leak, but doesn't go any farther.
>
> diff --git a/ckan/ckan/lib/dictization/model_dictize.py
> b/ckan/ckan/lib/dictization/model_dictize.py
> index 9acb150..44e1eda 100644
> --- a/ckan/ckan/lib/dictization/model_dictize.py
> +++ b/ckan/ckan/lib/dictization/model_dictize.py
> @@ -577,16 +577,11 @@ def user_dictize(user, context,
> include_password_hash=False):
> result_dict['apikey'] = apikey
>
>
>
> if requester == user.name:
> - result_dict['apikey'] = apikey
> result_dict['email'] = email
>
>
>
> if authz.is_sysadmin(requester):
> - result_dict['apikey'] = apikey
> result_dict['email'] = email
>
>
>
> - if include_password_hash:
> - result_dict['password_hash'] = password_hash
> -
> model = context['model']
> session = model.Session
>
>
>
> diff --git a/ckan/ckanext/datapusher/logic/action.py
> b/ckan/ckanext/datapusher/logic/action.py
> index b530273..da6bf54 100644
> --- a/ckan/ckanext/datapusher/logic/action.py
> +++ b/ckan/ckanext/datapusher/logic/action.py
> @@ -64,6 +64,7 @@ def datapusher_submit(context, data_dict):
> site_url = h.url_for('/', qualified=True)
> callback_url = h.url_for('/api/3/action/datapusher_hook', qualified=True)
>
>
>
> + context['keep_apikey'] = True
> user = p.toolkit.get_action('user_show')(context, {'id': context['user']})
>
>
>
> for plugin in p.PluginImplementations(interfaces.IDataPusher):
>
>
> eric
>
>
> On Jun 26, 2019, at 11:10 AM, Adrià Mercader <adria.mercader at okfn.org> wrote:
>
> Hi Eric,
>
> Thanks for reaching out, and many apologies that we didn't get back to
> you on your original email. I don't know what happened but we
> obviously failed to respond adequately.
>
> The upcoming patch releases doesn't contain any API key related
> changes. You raise some very valid points in your email and there have
> been discussions around API key management refactoring for a while but
> due to limited resources we haven't been able to work on that front.
> Perhaps your employer can help fund work on this?
>
> We can discuss the issue and come up with an implementation plan on
> the next dev meeting (https://hack.allmende.io/ckan-meeting#) You are
> more than welcome to join and discuss the issue with the tech team and
> others (meetings are open to everyone)
>
> Best,
>
>
> Adrià
>
> On Wed, 26 Jun 2019 at 11:51, Eric Soroos <eric at derilinx.com> wrote:
>
>
> Hi Adrià,
>
> I was wondering if you could tell me if the security issue that I
> raised on the security at ckan.org list on May 29 is going to be patched
> in the upcoming point releases?
>
> I haven't heard anything back from the CKAN org, and I'm worried about this one.
>
> Thanks
>
> eric
>
> Eric Soroos, Senior Developer
> Derilinx - Linked & Open Data Solutions
>
> Web: www.derilinx.com
> Email: eric at derilinx.com
> Address: 11/12 Baggot Court, Dublin 2, D02 F891
> Tel: +353 (0)1 254 4316
> Mob: +353 (0)83 8730257
> Twitter: @derilinx
>
>
> Eric Soroos, Senior Developer
> Derilinx - Linked & Open Data Solutions
>
> Web: www.derilinx.com
> Email: eric at derilinx.com
> Address: 11/12 Baggot Court, Dublin 2, D02 F891
> Tel: +353 (0)1 254 4316
> Mob: +353 (0)83 8730257
> Twitter: @derilinx
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list