[jira] [Updated] (MESOS-5685) The /files/download endpoint's authorization can be compromised
[ https://issues.apache.org/jira/browse/MESOS-5685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joseph Wu updated MESOS-5685: - Affects Version/s: (was: 0.28.2) This is marked as affecting {{0.28.2}}, but the related authorization code only landed in the {{1.0.0}} release. I've untagged appropriately. > The /files/download endpoint's authorization can be compromised > --- > > Key: MESOS-5685 > URL: https://issues.apache.org/jira/browse/MESOS-5685 > Project: Mesos > Issue Type: Bug >Reporter: Greg Mann >Assignee: Greg Mann >Priority: Blocker > Labels: mesosphere > Fix For: 1.0.0 > > > If a forward slash is appended to the path of a file a user wishes to > download via {{/files/download}}, the authorization logic for that path will > be bypassed and the file will be downloaded regardless of permissions. This > is because we store the authorization callbacks for these paths in a map > which is keyed by the path name, so a request to {{/master/log/}} fails to > find the callback which is installed for {{/master/log}}. When the master > fails to find the callback, it assumes authorization is not required for that > path and authorizes the action. > Consider the following excerpt: > {code} > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log -a foo:bar > HTTP/1.1 403 Forbidden > Content-Length: 0 > Date: Wed, 22 Jun 2016 21:28:53 GMT > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log/ -a foo:bar > HTTP/1.1 200 OK > Content-Disposition: attachment; > filename=mesos-master.gmac.gmann.log.INFO.20160622-142843.65615 > Content-Length: 14432 > Content-Type: application/octet-stream > Date: Wed, 22 Jun 2016 21:28:56 GMT > Log file created at: 2016/06/22 14:28:43 > Running on machine: gmac > Log line format: [IWEF]mmdd hh:mm:ss.uu threadid file:line] msg > I0622 14:28:43.476925 2080764672 logging.cpp:194] INFO level logging started! > I0622 14:28:43.477522 2080764672 main.cpp:367] Using 'HierarchicalDRF' > allocator > I0622 14:28:43.480650 2080764672 leveldb.cpp:174] Opened db in 2961us > I0622 14:28:43.481046 2080764672 leveldb.cpp:181] Compacted db in 372us > I0622 14:28:43.481078 2080764672 leveldb.cpp:196] Created db iterator in 13us > I0622 14:28:43.481096 2080764672 leveldb.cpp:202] Seeked to beginning of db > in 9us > I0622 14:28:43.48 2080764672 leveldb.cpp:271] Iterated through 0 keys in > the db in 8us > I0622 14:28:43.481165 2080764672 replica.cpp:779] Replica recovered with log > positions 0 -> 0 with 1 holes and 0 unlearned > I0622 14:28:43.481967 219914240 recover.cpp:451] Starting replica recovery > I0622 14:28:43.482193 219914240 recover.cpp:477] Replica is in EMPTY status > I0622 14:28:43.482589 2080764672 main.cpp:488] Creating default 'local' > authorizer > I0622 14:28:43.482719 2080764672 main.cpp:545] Starting Mesos master > I0622 14:28:43.483085 218841088 replica.cpp:673] Replica in EMPTY status > received a broadcasted recover request from (4)@127.0.0.1:5050 > I0622 14:28:43.487284 218304512 recover.cpp:197] Received a recover response > from a replica in EMPTY status > I0622 14:28:43.487694 219914240 recover.cpp:568] Updating replica status to > STARTING > {code} > We could consider disallowing paths which end in trailing slashes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (MESOS-5685) The /files/download endpoint's authorization can be compromised
[ https://issues.apache.org/jira/browse/MESOS-5685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam B updated MESOS-5685: -- Fix Version/s: 1.0.0 > The /files/download endpoint's authorization can be compromised > --- > > Key: MESOS-5685 > URL: https://issues.apache.org/jira/browse/MESOS-5685 > Project: Mesos > Issue Type: Bug >Affects Versions: 0.28.2 >Reporter: Greg Mann >Assignee: Greg Mann >Priority: Blocker > Labels: mesosphere > Fix For: 1.0.0 > > > If a forward slash is appended to the path of a file a user wishes to > download via {{/files/download}}, the authorization logic for that path will > be bypassed and the file will be downloaded regardless of permissions. This > is because we store the authorization callbacks for these paths in a map > which is keyed by the path name, so a request to {{/master/log/}} fails to > find the callback which is installed for {{/master/log}}. When the master > fails to find the callback, it assumes authorization is not required for that > path and authorizes the action. > Consider the following excerpt: > {code} > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log -a foo:bar > HTTP/1.1 403 Forbidden > Content-Length: 0 > Date: Wed, 22 Jun 2016 21:28:53 GMT > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log/ -a foo:bar > HTTP/1.1 200 OK > Content-Disposition: attachment; > filename=mesos-master.gmac.gmann.log.INFO.20160622-142843.65615 > Content-Length: 14432 > Content-Type: application/octet-stream > Date: Wed, 22 Jun 2016 21:28:56 GMT > Log file created at: 2016/06/22 14:28:43 > Running on machine: gmac > Log line format: [IWEF]mmdd hh:mm:ss.uu threadid file:line] msg > I0622 14:28:43.476925 2080764672 logging.cpp:194] INFO level logging started! > I0622 14:28:43.477522 2080764672 main.cpp:367] Using 'HierarchicalDRF' > allocator > I0622 14:28:43.480650 2080764672 leveldb.cpp:174] Opened db in 2961us > I0622 14:28:43.481046 2080764672 leveldb.cpp:181] Compacted db in 372us > I0622 14:28:43.481078 2080764672 leveldb.cpp:196] Created db iterator in 13us > I0622 14:28:43.481096 2080764672 leveldb.cpp:202] Seeked to beginning of db > in 9us > I0622 14:28:43.48 2080764672 leveldb.cpp:271] Iterated through 0 keys in > the db in 8us > I0622 14:28:43.481165 2080764672 replica.cpp:779] Replica recovered with log > positions 0 -> 0 with 1 holes and 0 unlearned > I0622 14:28:43.481967 219914240 recover.cpp:451] Starting replica recovery > I0622 14:28:43.482193 219914240 recover.cpp:477] Replica is in EMPTY status > I0622 14:28:43.482589 2080764672 main.cpp:488] Creating default 'local' > authorizer > I0622 14:28:43.482719 2080764672 main.cpp:545] Starting Mesos master > I0622 14:28:43.483085 218841088 replica.cpp:673] Replica in EMPTY status > received a broadcasted recover request from (4)@127.0.0.1:5050 > I0622 14:28:43.487284 218304512 recover.cpp:197] Received a recover response > from a replica in EMPTY status > I0622 14:28:43.487694 219914240 recover.cpp:568] Updating replica status to > STARTING > {code} > We could consider disallowing paths which end in trailing slashes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (MESOS-5685) The /files/download endpoint's authorization can be compromised
[ https://issues.apache.org/jira/browse/MESOS-5685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Mann updated MESOS-5685: - Shepherd: Vinod Kone > The /files/download endpoint's authorization can be compromised > --- > > Key: MESOS-5685 > URL: https://issues.apache.org/jira/browse/MESOS-5685 > Project: Mesos > Issue Type: Bug >Affects Versions: 0.28.2 >Reporter: Greg Mann >Assignee: Greg Mann >Priority: Blocker > Labels: mesosphere > > If a forward slash is appended to the path of a file a user wishes to > download via {{/files/download}}, the authorization logic for that path will > be bypassed and the file will be downloaded regardless of permissions. This > is because we store the authorization callbacks for these paths in a map > which is keyed by the path name, so a request to {{/master/log/}} fails to > find the callback which is installed for {{/master/log}}. When the master > fails to find the callback, it assumes authorization is not required for that > path and authorizes the action. > Consider the following excerpt: > {code} > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log -a foo:bar > HTTP/1.1 403 Forbidden > Content-Length: 0 > Date: Wed, 22 Jun 2016 21:28:53 GMT > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log/ -a foo:bar > HTTP/1.1 200 OK > Content-Disposition: attachment; > filename=mesos-master.gmac.gmann.log.INFO.20160622-142843.65615 > Content-Length: 14432 > Content-Type: application/octet-stream > Date: Wed, 22 Jun 2016 21:28:56 GMT > Log file created at: 2016/06/22 14:28:43 > Running on machine: gmac > Log line format: [IWEF]mmdd hh:mm:ss.uu threadid file:line] msg > I0622 14:28:43.476925 2080764672 logging.cpp:194] INFO level logging started! > I0622 14:28:43.477522 2080764672 main.cpp:367] Using 'HierarchicalDRF' > allocator > I0622 14:28:43.480650 2080764672 leveldb.cpp:174] Opened db in 2961us > I0622 14:28:43.481046 2080764672 leveldb.cpp:181] Compacted db in 372us > I0622 14:28:43.481078 2080764672 leveldb.cpp:196] Created db iterator in 13us > I0622 14:28:43.481096 2080764672 leveldb.cpp:202] Seeked to beginning of db > in 9us > I0622 14:28:43.48 2080764672 leveldb.cpp:271] Iterated through 0 keys in > the db in 8us > I0622 14:28:43.481165 2080764672 replica.cpp:779] Replica recovered with log > positions 0 -> 0 with 1 holes and 0 unlearned > I0622 14:28:43.481967 219914240 recover.cpp:451] Starting replica recovery > I0622 14:28:43.482193 219914240 recover.cpp:477] Replica is in EMPTY status > I0622 14:28:43.482589 2080764672 main.cpp:488] Creating default 'local' > authorizer > I0622 14:28:43.482719 2080764672 main.cpp:545] Starting Mesos master > I0622 14:28:43.483085 218841088 replica.cpp:673] Replica in EMPTY status > received a broadcasted recover request from (4)@127.0.0.1:5050 > I0622 14:28:43.487284 218304512 recover.cpp:197] Received a recover response > from a replica in EMPTY status > I0622 14:28:43.487694 219914240 recover.cpp:568] Updating replica status to > STARTING > {code} > We could consider disallowing paths which end in trailing slashes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (MESOS-5685) The /files/download endpoint's authorization can be compromised
[ https://issues.apache.org/jira/browse/MESOS-5685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Mann updated MESOS-5685: - Priority: Blocker (was: Major) > The /files/download endpoint's authorization can be compromised > --- > > Key: MESOS-5685 > URL: https://issues.apache.org/jira/browse/MESOS-5685 > Project: Mesos > Issue Type: Bug >Affects Versions: 0.28.2 >Reporter: Greg Mann >Assignee: Greg Mann >Priority: Blocker > Labels: mesosphere > > If a forward slash is appended to the path of a file a user wishes to > download via {{/files/download}}, the authorization logic for that path will > be bypassed and the file will be downloaded regardless of permissions. This > is because we store the authorization callbacks for these paths in a map > which is keyed by the path name, so a request to {{/master/log/}} fails to > find the callback which is installed for {{/master/log}}. When the master > fails to find the callback, it assumes authorization is not required for that > path and authorizes the action. > Consider the following excerpt: > {code} > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log -a foo:bar > HTTP/1.1 403 Forbidden > Content-Length: 0 > Date: Wed, 22 Jun 2016 21:28:53 GMT > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log/ -a foo:bar > HTTP/1.1 200 OK > Content-Disposition: attachment; > filename=mesos-master.gmac.gmann.log.INFO.20160622-142843.65615 > Content-Length: 14432 > Content-Type: application/octet-stream > Date: Wed, 22 Jun 2016 21:28:56 GMT > Log file created at: 2016/06/22 14:28:43 > Running on machine: gmac > Log line format: [IWEF]mmdd hh:mm:ss.uu threadid file:line] msg > I0622 14:28:43.476925 2080764672 logging.cpp:194] INFO level logging started! > I0622 14:28:43.477522 2080764672 main.cpp:367] Using 'HierarchicalDRF' > allocator > I0622 14:28:43.480650 2080764672 leveldb.cpp:174] Opened db in 2961us > I0622 14:28:43.481046 2080764672 leveldb.cpp:181] Compacted db in 372us > I0622 14:28:43.481078 2080764672 leveldb.cpp:196] Created db iterator in 13us > I0622 14:28:43.481096 2080764672 leveldb.cpp:202] Seeked to beginning of db > in 9us > I0622 14:28:43.48 2080764672 leveldb.cpp:271] Iterated through 0 keys in > the db in 8us > I0622 14:28:43.481165 2080764672 replica.cpp:779] Replica recovered with log > positions 0 -> 0 with 1 holes and 0 unlearned > I0622 14:28:43.481967 219914240 recover.cpp:451] Starting replica recovery > I0622 14:28:43.482193 219914240 recover.cpp:477] Replica is in EMPTY status > I0622 14:28:43.482589 2080764672 main.cpp:488] Creating default 'local' > authorizer > I0622 14:28:43.482719 2080764672 main.cpp:545] Starting Mesos master > I0622 14:28:43.483085 218841088 replica.cpp:673] Replica in EMPTY status > received a broadcasted recover request from (4)@127.0.0.1:5050 > I0622 14:28:43.487284 218304512 recover.cpp:197] Received a recover response > from a replica in EMPTY status > I0622 14:28:43.487694 219914240 recover.cpp:568] Updating replica status to > STARTING > {code} > We could consider disallowing paths which end in trailing slashes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (MESOS-5685) The /files/download endpoint's authorization can be compromised
[ https://issues.apache.org/jira/browse/MESOS-5685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Mann updated MESOS-5685: - Summary: The /files/download endpoint's authorization can be compromised (was: The /files/download endpoint authorization can be compromised) > The /files/download endpoint's authorization can be compromised > --- > > Key: MESOS-5685 > URL: https://issues.apache.org/jira/browse/MESOS-5685 > Project: Mesos > Issue Type: Bug >Affects Versions: 0.28.2 >Reporter: Greg Mann > Labels: mesosphere > > If a forward slash is appended to the path of a file a user wishes to > download via {{/files/download}}, the authorization logic for that path will > be bypassed and the file will be downloaded regardless of permissions. This > is because we store the authorization callbacks for these paths in a map > which is keyed by the path name, so a request to {{/master/log/}} fails to > find the callback which is installed for {{/master/log}}. When the master > fails to find the callback, it assumes authorization is not required for that > path and authorizes the action. > Consider the following excerpt: > {code} > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log -a foo:bar > HTTP/1.1 403 Forbidden > Content-Length: 0 > Date: Wed, 22 Jun 2016 21:28:53 GMT > gmann@gmac:~/src/mesos/build⚡ http GET > http://127.0.0.1:5050/files/download\?path\=/master/log/ -a foo:bar > HTTP/1.1 200 OK > Content-Disposition: attachment; > filename=mesos-master.gmac.gmann.log.INFO.20160622-142843.65615 > Content-Length: 14432 > Content-Type: application/octet-stream > Date: Wed, 22 Jun 2016 21:28:56 GMT > Log file created at: 2016/06/22 14:28:43 > Running on machine: gmac > Log line format: [IWEF]mmdd hh:mm:ss.uu threadid file:line] msg > I0622 14:28:43.476925 2080764672 logging.cpp:194] INFO level logging started! > I0622 14:28:43.477522 2080764672 main.cpp:367] Using 'HierarchicalDRF' > allocator > I0622 14:28:43.480650 2080764672 leveldb.cpp:174] Opened db in 2961us > I0622 14:28:43.481046 2080764672 leveldb.cpp:181] Compacted db in 372us > I0622 14:28:43.481078 2080764672 leveldb.cpp:196] Created db iterator in 13us > I0622 14:28:43.481096 2080764672 leveldb.cpp:202] Seeked to beginning of db > in 9us > I0622 14:28:43.48 2080764672 leveldb.cpp:271] Iterated through 0 keys in > the db in 8us > I0622 14:28:43.481165 2080764672 replica.cpp:779] Replica recovered with log > positions 0 -> 0 with 1 holes and 0 unlearned > I0622 14:28:43.481967 219914240 recover.cpp:451] Starting replica recovery > I0622 14:28:43.482193 219914240 recover.cpp:477] Replica is in EMPTY status > I0622 14:28:43.482589 2080764672 main.cpp:488] Creating default 'local' > authorizer > I0622 14:28:43.482719 2080764672 main.cpp:545] Starting Mesos master > I0622 14:28:43.483085 218841088 replica.cpp:673] Replica in EMPTY status > received a broadcasted recover request from (4)@127.0.0.1:5050 > I0622 14:28:43.487284 218304512 recover.cpp:197] Received a recover response > from a replica in EMPTY status > I0622 14:28:43.487694 219914240 recover.cpp:568] Updating replica status to > STARTING > {code} > We could consider disallowing paths which end in trailing slashes. -- This message was sent by Atlassian JIRA (v6.3.4#6332)