Project

General

Profile

Bug #33670

Pulp smart proxy plugin expose credentials on dev setup

Added by Lukas Zapletal 7 months ago. Updated 4 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Foreman Proxy Content
Target version:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Today I was poking around Smart Proxies, and realized the
smart_proxy_pulp [1] plugin exposes the pulpcore credentials via it's
API [2]. It doesn't affect our default deployments, as we use
certificate authentication, but still an issue IMHO.

# curl --silent --cert /etc/foreman/client_cert.pem --key
/etc/foreman/client_key.pem
https://pipe-katello-server-nightly-centos7.yatsu.example.com:9090/v2/features
| jq .pulpcore.settings
{
  "pulp_url": "https://pipe-katello-server-nightly-centos7.yatsu.example.com",
  "mirror": false,
  "content_app_url":
"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/content",
  "username": null,
  "password": null,
  "client_authentication": [
    "client_certificate" 
  ],
  "rhsm_url": "https://localhost/rhsm" 
}

The API itself is protected by cert auth in production installs, but
the data is also stored unencrypted in the database:

foreman=# select * from smart_proxy_features where settings like '%password%';
 smart_proxy_id | feature_id | id | capabilities |

                                                       settings

----------------+------------+----+--------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------
              1 |          4 |  1 | ---         +|
{"pulp_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com","mirror":false,"content_app_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/con
tent","username":null,"password":null,"client_authentication":["client_certificate"],"rhsm_url":"https://localhost/rhsm"}
                |            |    | - ansible   +|
                |            |    | - certguard +|
                |            |    | - container +|
                |            |    | - core      +|
                |            |    | - deb       +|
                |            |    | - file      +|
                |            |    | - rpm       +|
                |            |    |              |

I think the plugin should just not `expose_setting :password`, as
there is really no reason for Foreman to know the password.

This was reported by Evgeni on our security list. Thank you.

History

#1 Updated by Lukas Zapletal 7 months ago

  • Description updated (diff)

#2 Updated by Andrew Dewar 7 months ago

  • Triaged changed from No to Yes
  • Target version set to Katello 4.3.0

#3 Updated by Chris Roberts 6 months ago

  • Target version changed from Katello 4.3.0 to Katello 4.4.0

#4 Updated by The Foreman Bot 4 months ago

  • Assignee set to Ryan Verdile
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/9892 added

#5 Updated by The Foreman Bot 4 months ago

  • Pull request https://github.com/theforeman/smart_proxy_pulp/pull/34 added

#6 Updated by Justin Sherrill 4 months ago

  • Target version changed from Katello 4.4.0 to Katello Recycle Bin
  • Status changed from Ready For Testing to Rejected

After some discussion here: https://github.com/Katello/katello/pull/9892

This is working as designed and not seen as a security issue. The passwords are only exposed over an authenticated endpoint and allows for discoverability. We're gonna close this, but feel free to discuss with ewoud if you disagree :)

Also available in: Atom PDF