Ticket search results

set up github codeql

Dave Brondsema — Mon, 10 Jun 2024 15:31:45 -0000

Our repo gets mirrored to https://github.com/apache/allura/ so we can set up CodeQL to run there and check for security issues in code

improve session cookie handling NEEDS CONFIG CHANGES

Dave Brondsema — Mon, 10 Jun 2024 15:31:45 -0000

Main thing is to move away from pickle, but we can also implement stronger keys, support key rotation, etc.

Generic search doesn't do permission checks

Dave Brondsema — Mon, 07 Oct 2019 15:58:37 -0000

The search tool for project-wide search or generic tool searching (not specialized search handlers like ticket search) doesn't do permission checks and may expose some snippets of information.

Escape html on wiki & blog diff views

Dave Brondsema — Tue, 30 Oct 2018 14:21:22 -0000

The code that generates diffs for the revision history viewing on blog posts & wiki pages, does not escape HTML.

HTTP response splitting vulnerability on return_to param CVE-2018-1319

Dave Brondsema — Thu, 15 Mar 2018 18:55:09 -0000

From a security reporter: ------ Summary: To trigger the vulnerability, an attacker would send a malicious "/auth" URL to the victim. The victim would access said URL, and login successfully. The server would then respond with any HTTP headers the attacker supplied in the malicious URL. Please note that the URL points to the real Allura server, and contains control characters (%0d%0a) in the return_to URL parameter. PoC URLs: http:///auth/?return_to=/%0d%0aSet-Cookie:%20%3Bmy-cookie-field%3Dfoobar%3B http:///auth/?return_to=/%0d%0aContent-Length:%20777 The first URL will set the attacker-supplied cookie (my-cookie-field=foobar) to the victim's session. The second URL will make the server respond with a content length of 777, which will force the victim's browser to abort the rendering of the page, since 777 will not match with the real content length. ---------- `return_to` is used in many places, any of which could sanitize it. Seems like `authenticate_request` and `LoginRedirectMiddleware` and `do_login` and `do_multifactor` have the `redirect()` calls that are the critical spots though. `_verify_return_to` usage could be expanded.

StaticFilesMiddleware allows directory traversal

Dave Brondsema — Tue, 06 Feb 2018 17:55:38 -0000

From reporter: > The vulnerability allows unauthenticated attackers to retrieve > arbitrary files from the Allura web server. > > PoC URsL: > http:///nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd > http:///nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhostname ----- The %2F does't seem necessary in my testing. The paster, nginx and apache/mod_wsgi servers seem to protect against this, but gunicorn (which we recommend for production) permits the vulnerability. This has been assigned CVE-2018-1299

Stronger no-cache headers

Dave Brondsema — Tue, 27 Jun 2017 17:46:10 -0000

If you're logged in and then log out, hitting the back button will still show the previous page(s) potentially with private info on them. Pylons defaults to `Cache-Control: no-cache` header, but that isn't always enough and there are a lot more caching directives that can be included in there.

After password change, change current session id

Dave Brondsema — Tue, 13 Dec 2016 16:33:16 -0000

Password changes invalidate all other sessions, but we should also cycle the current session's id. This will protect against the possibility of someone intercepting session cookies and then you change your password on the current session, so their copy of the cookies will no longer work.

Fix how we write the .google_authenticator file

Dave Brondsema — Thu, 15 Sep 2016 14:28:49 -0000

The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it. We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards. And best to do it atomically, with a file rename operation.

Rate limiting for two-factor auth

Dave Brondsema — Wed, 14 Dec 2016 16:59:09 -0000

The google PAM module supports it, for reference: https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT#L31

Require password when confirming new email address

Dave Brondsema — Wed, 14 Dec 2016 16:59:08 -0000

We should require a valid login session when opening an email verification link. This avoids the security risk of typos on new email addresses that could potentially let someone else take over your account.

Show security / audit log to users

Dave Brondsema — Sat, 27 Aug 2016 19:47:00 -0000

Right now we have a project audit log which is available to project admins, and a user audit log which is available only to site admins. We should have an audit log for users to see about themselves, so they can verify login attempts, account setting changes, etc. Many existing audit log entries could be re-used, but we'll also need new ones and modified versions of some, I think.

U2F for multifactor auth

Dave Brondsema — Mon, 12 Sep 2016 21:16:39 -0000

As an additional 2FA option, implement support for U2F. Some details at http://mail-archives.apache.org/mod_mbox/allura-dev/201608.mbox/%3C28c7a399-86c5-5d75-dde4-2ab54fe7b3e4%40brondsema.net%3E

2FA recovery codes

Dave Brondsema — Wed, 14 Dec 2016 16:59:08 -0000

Implement recovery codes as an option when your 2FA device isn't available

Implement core 2FA

Dave Brondsema — Wed, 14 Dec 2016 16:59:07 -0000

This ticket is for the essential functionality for TOTP 2FA, separate tickets for other aspects Some details at http://mail-archives.apache.org/mod_mbox/allura-dev/201608.mbox/%3C28c7a399-86c5-5d75-dde4-2ab54fe7b3e4%40brondsema.net%3E

Served SVG images can execute JS

Dave Brondsema — Mon, 02 Nov 2015 15:09:01 -0000

Since the SVG mime type (`image/svg+xml`) starts with `image/`, the `AttachmentController` lets it be displayed in the browser rather than download. However, SVGs can contain javascript and other insecure components. https://www.hackinparis.com/slides/hip2k11/09-TheForbiddenImage.pdf https://www.w3.org/wiki/SVG_Security

XSS vulnerability in link rewriting

Dave Brondsema — Mon, 10 Aug 2015 14:28:41 -0000

HTML like `[xss](http://">xss)` or like `'[xss](http://">)'` will end up getting parsed incorrectly and the embedded JS will run. I've isolated this to the `RelativeLinkRewriter` class and how it uses BeautifulSoup doesn't handle the incoming HTML (which is like `xss` at this point). BeautifulSoup 4 does handle that correctly.

In project admin - user permissions, removing a custom group needs to use POST

Dave Brondsema — Mon, 10 Aug 2015 14:28:32 -0000

Right now it uses GET, and is vulnerable to CSRF.

CSRF checks don't work on login

Dave Brondsema — Thu, 20 Aug 2015 22:06:09 -0000

`CSRFMiddleware` deletes all cookies (including login session) if CSRF checks fail. However that doesn't stop a forged login since there isn't a session cookie yet anyway. The login continues and you are logged in. Also we have no tests for CSRF functionality.

Changing password should invalidate other sessions

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

When you change your password, any other sessions should get logged out.