Roundup Tracker - Issues

Issue 2551033

classification
Title: REST etag security
Type: security Severity: normal
Components: Infrastructure Versions: devel
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: joseph_myers
Priority: normal Keywords:

Created on 2019-03-19 00:22 by joseph_myers, last changed 2019-03-19 00:22 by joseph_myers.

Messages
msg6402 Author: [hidden] (joseph_myers) Date: 2019-03-19 00:22
The REST code generates an etag as an md5 hash of a representation of
item properties.

That includes properties to which the user does not have access. 
Depending on the schema, that means it could be used as an oracle to
test guesses for values of such properties by generating hashes with
guessed values for those properties inserted and seeing if those match
the provided etag.

This could be addressed by using HMAC with a per-instance random secret
key, instead of a simple hash function, or by storing a random etag in
the database for each item (generated automatically like the 'activity'
property) so it's not related to item properties at all, just changes to
a new random value whenever any other change is made.

See mailing list discussion:
https://sourceforge.net/p/roundup/mailman/message/36615272/
History
Date User Action Args
2019-03-19 00:22:45joseph_myerscreate