Project

General

Profile

Bug #33670

Updated by Lukas Zapletal over 2 years ago

Today I was poking around Smart Proxies, and realized the 
 smart_proxy_pulp [1] plugin exposes the pulpcore credentials via it's 
 API [2]. It doesn't affect our default deployments, as we use 
 certificate authentication, but still an issue IMHO. 

 <pre> 
 # curl --silent --cert /etc/foreman/client_cert.pem --key 
 /etc/foreman/client_key.pem 
 https://pipe-katello-server-nightly-centos7.yatsu.example.com:9090/v2/features 
 | jq .pulpcore.settings 
 { 
   "pulp_url": "https://pipe-katello-server-nightly-centos7.yatsu.example.com", 
   "mirror": false, 
   "content_app_url": 
 "https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/content", 
   "username": null, 
   "password": null, 
   "client_authentication": [ 
     "client_certificate" 
   ], 
   "rhsm_url": "https://localhost/rhsm" 
 } 
 </pre> 

 The API itself is protected by cert auth in production installs, but 
 the data is also stored unencrypted in the database: 

 <pre> 
 foreman=# select * from smart_proxy_features where settings like '%password%'; 
  smart_proxy_id | feature_id | id | capabilities | 

                                                        settings 

 ----------------+------------+----+--------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
 -------------------------------------------------------------------------------------------------------------------------- 
               1 |            4 |    1 | ---           +| 
 {"pulp_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com","mirror":false,"content_app_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/con 
 tent","username":null,"password":null,"client_authentication":["client_certificate"],"rhsm_url":"https://localhost/rhsm"} 
                 |              |      | - ansible     +| 
                 |              |      | - certguard +| 
                 |              |      | - container +| 
                 |              |      | - core        +| 
                 |              |      | - deb         +| 
                 |              |      | - file        +| 
                 |              |      | - rpm         +| 
                 |              |      |                | 
 </pre> 


 I think the plugin should just not `expose_setting :password`, as 
 there is really no reason for Foreman to know the password. 

 _This was reported by Evgeni on our security list. Thank you._

Back