haproxy Cookie id leaks information about software #8615
Conversation
|
@openshift/networking PTAL |
|
@openshift/networking The previous PR (8611) comments by @marun (and ramr) concerned whether or not we need the PREFIX/SUFFIX at all. This is part of an on-going email chain. Also, there needs to be a test case and doc changes. |
|
@pecameron It would have been preferable to edit the previous branch/PR rather that creating a new one. I recommend reading up on git's 'interactive rebase' and 'cherry picking' capabilities the next time you run into this kind of problem. |
| } | ||
|
|
||
| // Possibly hash the name for later use in obsuring cookie ID | ||
| if os.Getenv("COOKIE_PREFIX_MAIN") + os.Getenv("COOKIE_PREFIX_EDGE") + os.Getenv("COOKIE_PREFIX_REENCRYPT") != "" { |
There was a problem hiding this comment.
Code used from inside the router needs to be parameterized from the router cmd and passed as members. Only values that are solely used within the template should be environment variables (basically, no os.Getenv except in templates or in top level CLI).
There was a problem hiding this comment.
Can we just do it with a flag (in lieu of 3 env vars) that does this equivalent of "obfuscating" the cookie name. Or maybe even just do it by default?
Maybe hash it based on the tls.Termination + backendKey as it would have the type of route as well. Something like:
Hash: fmt.Sprintf("%s_%s", tls.Termination, backendKey),
}
// ...
if r.TheObsfucatorFlagName { // replace flag name w/ the real one.
config.Hash = fmt.Sprintf("%x", md5.Sum([]byte(config.Hash)))
}
There was a problem hiding this comment.
There was a problem hiding this comment.
On 04/22/2016 06:21 PM, Clayton Coleman wrote:
In pkg/router/template/router.go
#8615 (comment):@@ -398,6 +399,12 @@ func (r *templateRouter) AddRoute(id string, route *routeapi.Route, host string)
config := ServiceAliasConfig{
Host: host,
Path: route.Spec.Path,
Hash: backendKey,- }
- // Possibly hash the name for later use in obsuring cookie ID
- if os.Getenv("COOKIE_PREFIX_MAIN") + os.Getenv("COOKIE_PREFIX_EDGE") + os.Getenv("COOKIE_PREFIX_REENCRYPT") != "" {
Code used from inside the router needs to be parameterized from the
router cmd and passed as members. Only values that are solely used
within the template should be environment variables (basically, no
os.Getenv except in templates or in top level CLI).—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/8615/files/efbfa149db72f9378c1378793e9db0263996d6f0#r60810832Thanks for taking a look. Is it OK to pass the environment variables
through the dc?I will make the changes.
There was a problem hiding this comment.
@pecameron as the @eparis commented and based on the later comments, just set the hash to something like:
config.Hash = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%s_%s", tls.Termination, backendKey)))) unconditionally and then use it `{{cfg.Hash}}`` as the cookie name in the template.
That way you don't need any environment variables.
And maybe use
There was a problem hiding this comment.
On 04/25/2016 02:20 PM, Ram Ranganathan wrote:
In pkg/router/template/router.go
#8615 (comment):@@ -398,6 +399,12 @@ func (r *templateRouter) AddRoute(id string, route *routeapi.Route, host string)
config := ServiceAliasConfig{
Host: host,
Path: route.Spec.Path,
Hash: backendKey,- }
- // Possibly hash the name for later use in obsuring cookie ID
- if os.Getenv("COOKIE_PREFIX_MAIN") + os.Getenv("COOKIE_PREFIX_EDGE") + os.Getenv("COOKIE_PREFIX_REENCRYPT") != "" {
@pecameron https://github.com/pecameron as the @eparis
https://github.com/eparis commented and based on the later comments,
just set the hash to something like:
|config.Hash = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%s_%s",
tls.Termination, backendKey))))| unconditionally and then use it
|{{cfg.Hash}}|` as the cookie name in the template.That way you don't need any environment variables.
And maybe use—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/8615/files/efbfa149db72f9378c1378793e9db0263996d6f0#r60961740Hi Ram,
Thanks! How do I test this new feature in
pkg/router/template/router_test.go?
Thanks,
phil
There was a problem hiding this comment.
Look at the integration tests in test/integration/router_test.go - what you need to do is probably similar to TestRouterPathSpecificity - check that the response back from the client has a cookie + its name is "mangled".
There was a problem hiding this comment.
Forgot to add - you have to check that the HTTP response has a cookie by looking at the HTTP headers, so you will also need some change to the getRouter helper function used in the test - as that currently returns only the content (not the headers).
|
I argue that we don't need any of this stuff. Just make the entire thing be an opaque hash. I do not believe there is any point to having any human readable words in here. |
|
Agreed on that as well
|
|
On 04/22/2016 05:19 PM, Maru Newby wrote:
|
|
I mad the discussed changes, PTAL |
| @@ -450,6 +451,8 @@ func (r *templateRouter) AddRoute(id string, route *routeapi.Route, host string) | |||
| } | |||
| } | |||
|
|
|||
| config.RoutingKeyName = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%s %s", config.TLSTermination, backendKey)))) | |||
There was a problem hiding this comment.
The use of tlsterm and route key (namespace + route name) maintains the current semantics such that if the type or name of a route changes, it's cookie id will differ accordingly. Without a salt brute force recovery would be possible, but I'm not sure that's a problem.
There was a problem hiding this comment.
Yeah, I don't think I care about the 'brute force ability'
There was a problem hiding this comment.
Yeah, so its just for uniqueness and it would probably become more readable if we just used a temp
variable to store the key and then hash it and set config.RoutingKey ala:
key := fmt.Sprintf("%s %s", config.TLSTermination, backendKey)
config.RoutingKeyName = fmt.Sprintf("%x", md5.Sum([]byte(key)))
There was a problem hiding this comment.
I will make the change.
Resolves: bz1328030 This obfuscates the cookie name my hashing the original name. Signed-off-by: Phil Cameron <[email protected]>
|
I made the discussed changes, PTAL |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5848/) (Image: devenv-rhel7_4140) |
|
Evaluated for origin merge up to 28ab17d |
|
[Test]ing while waiting on the merge queue |
|
Evaluated for origin test up to 28ab17d |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3678/) |
Resolves: bz1318796
haproxy now md5 hashes the project_routename to generate the Cookie ID.
Signed-off-by: Phil Cameron [email protected]