Opened at 2012-01-25T04:53:44Z
Last modified at 2014-08-23T21:30:59Z
#1665 new task
Brainstorm webapi vulnerabilities between the operator and a user and between users.
Reported by: | nejucomo | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | undecided |
Component: | code-frontend-web | Version: | n/a |
Keywords: | docs security webapi introducer accounting status websec multiuser-gateway | Cc: | warner |
Launchpad Bug: |
Description (last modified by zooko)
Problem: The webapi interface design seems to presume the node operator and users are mutually trusting. There is some demand for "public" web gateways to content in a LAFS network, where the users and gateway operator do not fully trust each other.
Resolution: This ticket is resolved when the vulnerabilities are enumerated to the operator coming from users, to the users from the operator, and from the users between themselves.
Bonus Points awarded for each of: configuration options which reduce a given vulnerabily's risk; workarounds which do not require code patches (external tools are ok); and outlines of code patches to reduce the vulnerability.
Related Tickets:
Change History (15)
comment:1 Changed at 2012-01-25T04:57:04Z by nejucomo
- Description modified (diff)
comment:2 Changed at 2012-01-25T05:04:10Z by nejucomo
comment:3 follow-up: ↓ 8 Changed at 2012-01-25T05:07:06Z by nejucomo
User vulnerabilities from other users.
Capabilities may be leaked across browsers. For example, one user, by browsing ongoing or completed operations may be able to acquire the capabilities used by another user.
(I am not currently familiar enough with the operation / status features to have confidence about this situation.)
Mitigation brainstorm: Restrict operation / status features such that only the user initiating an operation has a "capability" (distinct from the existing filesystem read/write/verify capabilities) to view the status of that operation.
comment:4 follow-up: ↓ 10 Changed at 2012-01-25T05:10:19Z by nejucomo
Operator vulnerability to users: Arbitrary upload.
Users can upload arbitrary content (such as by a PUT /uri request), so any accounting based on the gateway's identity cannot distinguish between users. (I am not familiar with the work on accounting. This vulnerability may soon be moot.)
Workaround: Blocking non-GET requests is sufficient to prevent content upload or modification.
comment:5 follow-up: ↓ 9 Changed at 2012-01-25T05:14:28Z by nejucomo
Network vulnerability to users: Leaked introducer furl.
Any user of the webapi can learn the introducer furl, which in some use cases is undesirable.
comment:6 Changed at 2012-01-25T05:20:58Z by nejucomo
A mitigation for comment:5 would be to improve the introduction system and/or accounting to separate out capabilities for discovering storage nodes, introducing storage nodes, or requesting storage. (Again, I'm unfamiliar with the current state of accounting, so this vulnerability may soon be well mitigated.)
comment:7 Changed at 2012-03-12T19:30:09Z by davidsarah
- Keywords docs security webapi introducer accounting status added
comment:8 in reply to: ↑ 3 Changed at 2012-03-13T15:58:06Z by zooko
- Cc warner added
I think this one is currently solved with regard to authority over files (excluding authority over operations -- see "ophandles" below), at least if we exclude "cross-user scripting" or "cross-user reference forgery" issues.
Replying to nejucomo:
User vulnerabilities from other users.
Capabilities may be leaked across browsers. For example, one user, by browsing ongoing or completed operations may be able to acquire the capabilities used by another user.
There is a Recent Upload Download page, but it doesn't use caps that grant more authority than the storage index does.
Mitigation brainstorm: Restrict operation / status features such that only the user initiating an operation has a "capability" (distinct from the existing filesystem read/write/verify capabilities) to view the status of that operation.
I think the current approach is even better: you can see the status of the operations of other users, but you can't get authority over the files involved.
ophandles
This one could be problematic. See docs/frontends/webapi.rst for the docs about ophandles. They are chosen by the wapi client, so if the user's client software chooses guessable ophandles, then the user could be accidentally allowing other users of the same gateway to cancel their operations. I'm not sure if ophandles can be used for anything other than canceling and checking the status of operations. I propose we open a separate ticket for this specific issue -- ophandles could be guessable and gateways could be shared among users.
comment:9 in reply to: ↑ 5 Changed at 2012-03-13T21:12:53Z by zooko
Replying to nejucomo:
Network vulnerability to users: Leaked introducer furl.
Any user of the webapi can learn the introducer furl, which in some use cases is undesirable.
Workaround (low confidence): Blocking requests to the webapi / url prevents the user from learning the introducer furl. Warning: This may not be sufficient; I recommend waiting for more community confidence in this workaround before relying on it.
This is #860.
comment:10 in reply to: ↑ 4 ; follow-up: ↓ 14 Changed at 2012-03-13T21:34:28Z by zooko
comment:11 Changed at 2013-09-14T17:40:36Z by zooko
- Description modified (diff)
- Keywords websec added
comment:12 Changed at 2014-08-23T21:16:31Z by nejucomo
Note, this use case has come up in another form in #1283. Windows services provide monitoring and scheduling features, but they are system-wide.
comment:13 Changed at 2014-08-23T21:20:49Z by nejucomo
Note, this use case has also come up in #2045 which is related to Debian "daemonification" and might imply a system-wide daemon with separate user clients.
comment:14 in reply to: ↑ 10 Changed at 2014-08-23T21:25:40Z by nejucomo
Replying to zooko:
Replying to nejucomo:
Operator vulnerability to users: Arbitrary upload.
This is #1447.
I disagree. #1447 is for implementing a specific (easy to implement) policy: No uploads at all.
However there are many more potential policies (which are not yet implemented) for upload, such as requiring users to provide some proof of allocated storage on a set of servers along the lines of the accounting roadmap.
comment:15 Changed at 2014-08-23T21:30:59Z by nejucomo
- Keywords multiuser-gateway added
User vulnerabilities to the gateway.
Fundamentally, a web gateway is an entity-in-the-middle, so users are vulnerable to:
These vulnerabilities compromise much of the utility of LAFS; never-the-less, the usefulness of making content available to public web users (without any custom software) is great enough that there's demand for a "public gateway".
Mitigation brainstorm: The situation could potentially improved by moving integrity and confidentiality support into the browser- if for example the user loaded javascript from a trusted site, which could then proxy encrypted requests through different HTTP interfaces to the underlying LAFS network.