Actions
Bug #33670
closedPulp smart proxy plugin expose credentials on dev setup
Status:
Rejected
Priority:
Normal
Assignee:
Category:
Foreman Proxy Content
Target version:
Difficulty:
Triaged:
Yes
Description
Today I was poking around Smart Proxies, and realized the
smart_proxy_pulp [1] plugin exposes the pulpcore credentials via it's
API [2]. It doesn't affect our default deployments, as we use
certificate authentication, but still an issue IMHO.
# curl --silent --cert /etc/foreman/client_cert.pem --key /etc/foreman/client_key.pem https://pipe-katello-server-nightly-centos7.yatsu.example.com:9090/v2/features | jq .pulpcore.settings { "pulp_url": "https://pipe-katello-server-nightly-centos7.yatsu.example.com", "mirror": false, "content_app_url": "https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/content", "username": null, "password": null, "client_authentication": [ "client_certificate" ], "rhsm_url": "https://localhost/rhsm" }
The API itself is protected by cert auth in production installs, but
the data is also stored unencrypted in the database:
foreman=# select * from smart_proxy_features where settings like '%password%'; smart_proxy_id | feature_id | id | capabilities | settings ----------------+------------+----+--------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------- 1 | 4 | 1 | --- +| {"pulp_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com","mirror":false,"content_app_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/con tent","username":null,"password":null,"client_authentication":["client_certificate"],"rhsm_url":"https://localhost/rhsm"} | | | - ansible +| | | | - certguard +| | | | - container +| | | | - core +| | | | - deb +| | | | - file +| | | | - rpm +| | | | |
I think the plugin should just not `expose_setting :password`, as
there is really no reason for Foreman to know the password.
This was reported by Evgeni on our security list. Thank you.
Actions