Security: chromium-swarm is accessable for normal gmail accounts (not sure)
Reported by
tthe.dol...@gmail.com,
May 4 2018
|
|||||||||||||
Issue descriptionVULNERABILITY DETAILS A normal gmail / googlemail user can access the https://chromium-swarm.appspot.com/ site and can manage / view all bots / tasks. BTW: In Firefox I needed to disable the CSP protection by changing the "security.csp.enable" value to false. The site https://www.chromium.org/developers/testing/isolated-testing/infrastructure says that chromium-swarm.appspot.com requires valid Google accounts. Maybe I am wrong but I thought that they mean that only Google employees should be able to access that website. Please clarify. I have not tested it but I think that I even can cancel, retry (which would lead to money loss due to the server costs) and do more stuff. However I was able to access the site and to receive the log files via the command line. See attachments.
,
May 4 2018
Dirk, could you check this out or re-assign as appropriate? Thanks!
,
May 4 2018
I think we changed things at some point so that chromium-swarm is supposed to be readable to logged-in users now, and likely the doc is just old. I would not expect a generic logged-in user to have permission to retry or cancel tasks, and, when I just did a simple test from one such account, I (correctly) wasn't able to cancel a task. maruel@ (or vadimsh@ or estaab@), can you confirm this and update the docs if I'm right, or fix something if I'm wrong and this is a real issue? chrome-internal-review.googlesource.com should be accessible to signed-in accounts, but the contents themselves should not be visible (and, as far as I know, aren't), so I don't think this is an issue.
,
May 4 2018
,
May 4 2018
Thanks for the report. It is working as intended. The documentation is stale, I'm updating it. I made chromium-swarm.appspot.com accessible to any Google Account but didn't advertise it publicly. As Dirk said for chrome-internal-review.googlesource.com, it is also working as intended.
,
May 4 2018
Thank you for your quick and kind responses! I appreciate your clarification.
,
May 4 2018
Updates: - The wording is technically correct. A "valid Google account" is what you may call a "GMail account". In practice a Google account may not be linked to GMail. This neither means a "googler account". I agree it can be a bit confusing. - Still, the document was very stale. Did a quick cleanup. - Filed issue 839909 for the breakage on Firefox. That's unfortunate and we'll look at fixing it. - You see the button for actions like "Cancel", but they won't work even if you tried to enable it by messing with the Web UI. This is enforced server-side. That's working as intended, so everyone see a similar Web UI. Feel free to check out https://chromium.googlesource.com/infra/luci/luci-py.git, look at the code and report anything you find, it's open source! Marking as Fixed since I updated the doc a bit. :) Removing the restricted view as there's no more action item left.
,
May 4 2018
,
May 6 2018
Going further, I've spent lot of time auditing Chromium Swarm around 3 weeks ago and was not able to run any command on the cluster without a valid Chromium or Google account. I also verified the API. |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by tthe.dol...@gmail.com
, May 4 201893.2 KB
93.2 KB View Download