Bug #33670
closed
Pulp smart proxy plugin expose credentials on dev setup
Description
Today I was poking around Smart Proxies, and realized the
smart_proxy_pulp [1] plugin exposes the pulpcore credentials via it's
API [2]. It doesn't affect our default deployments, as we use
certificate authentication, but still an issue IMHO.
# curl --silent --cert /etc/foreman/client_cert.pem --key
/etc/foreman/client_key.pem
https://pipe-katello-server-nightly-centos7.yatsu.example.com:9090/v2/features
| jq .pulpcore.settings
{
"pulp_url": "https://pipe-katello-server-nightly-centos7.yatsu.example.com",
"mirror": false,
"content_app_url":
"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/content",
"username": null,
"password": null,
"client_authentication": [
"client_certificate"
],
"rhsm_url": "https://localhost/rhsm"
}
The API itself is protected by cert auth in production installs, but
the data is also stored unencrypted in the database:
foreman=# select * from smart_proxy_features where settings like '%password%';
smart_proxy_id | feature_id | id | capabilities |
settings
----------------+------------+----+--------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------
1 | 4 | 1 | --- +|
{"pulp_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com","mirror":false,"content_app_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/con
tent","username":null,"password":null,"client_authentication":["client_certificate"],"rhsm_url":"https://localhost/rhsm"}
| | | - ansible +|
| | | - certguard +|
| | | - container +|
| | | - core +|
| | | - deb +|
| | | - file +|
| | | - rpm +|
| | | |
I think the plugin should just not `expose_setting :password`, as
there is really no reason for Foreman to know the password.
This was reported by Evgeni on our security list. Thank you.
Updated by
Updated by Andrew Dewar over 3 years ago
- Target version set to Katello 4.3.0
- Triaged changed from No to Yes
Updated by Chris Roberts about 3 years ago
- Target version changed from Katello 4.3.0 to Katello 4.4.0
Updated by The Foreman Bot about 3 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ryan Verdile
- Pull request https://github.com/Katello/katello/pull/9892 added
Updated by The Foreman Bot about 3 years ago
- Pull request https://github.com/theforeman/smart_proxy_pulp/pull/34 added
Updated by Justin Sherrill about 3 years ago
- Status changed from Ready For Testing to Rejected
- Target version changed from Katello 4.4.0 to Katello Recycle Bin
After some discussion here: https://github.com/Katello/katello/pull/9892
This is working as designed and not seen as a security issue. The passwords are only exposed over an authenticated endpoint and allows for discoverability. We're gonna close this, but feel free to discuss with ewoud if you disagree :)