Project

General

Profile

Actions

Bug #34573

closed

Settings defined by DSL are not properly encrypted

Added by Ondřej Ezr over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

The values set for the DSL defined settings are not properly encrypted.
This is caused by the encrypted flag not being propagated for newly created settings and thus only new Foreman instances are affected.

How to reproduce:

1. Remove contents of settings table
2. Start foreman
3. Set a encrypted setting e.g. root_pass to any value
4. See the value in database for this setting. (possibly also from console by `Setting.find_by(name: 'root_pass').read_attribute(:value)`


Files

34573.patch 34573.patch 7.34 KB Proposed patch v1 Ondřej Ezr, 03/08/2022 01:03 PM

Related issues 1 (0 open1 closed)

Related to Foreman - Feature #30862: Introduce SettingRegistry as a setting inventoryClosedOndřej EzrActions
Actions #1

Updated by Ondřej Ezr over 2 years ago

  • Target version set to 3.1.3
  • Found in Releases 3.1.3 added
Actions #2

Updated by Ondřej Ezr over 2 years ago

  • Related to Feature #30862: Introduce SettingRegistry as a setting inventory added
Actions #3

Updated by Ondřej Ezr over 2 years ago

  • Description updated (diff)
Actions #4

Updated by Ondřej Ezr over 2 years ago

Actions #5

Updated by Ondřej Ezr over 2 years ago

  • Found in Releases 3.1.0 added
  • Found in Releases deleted (3.1.3)

How to reproduce:

1. Remove contents of settings table
2. Start foreman
3. Set a encrypted setting e.g. root_pass to any value
4. See the value in database for this setting. (possibly also from console by `Setting.find_by(name: 'root_pass').read_attribute(:value)`

Actions #6

Updated by Ondřej Ezr over 2 years ago

  • Description updated (diff)
Actions #7

Updated by Ondřej Ezr over 2 years ago

  • Private changed from Yes to No

As discussed, this can be disclosed.

Actions #8

Updated by The Foreman Bot over 2 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Ondřej Ezr
  • Pull request https://github.com/theforeman/foreman/pull/9139 added
Actions #9

Updated by Ondřej Ezr over 2 years ago

  • Bugzilla link set to 2061773
Actions #10

Updated by The Foreman Bot over 2 years ago

  • Fixed in Releases 3.3.0 added
Actions #11

Updated by Ondřej Ezr over 2 years ago

  • Status changed from Ready For Testing to Closed
Actions #12

Updated by Ondřej Ezr over 2 years ago

  • Fixed in Releases 3.1.3, 3.2.0 added
Actions

Also available in: Atom PDF