Issue 847359 link

Starred by 1 user

Issue metadata

Status:	Available
Owner:	----
Cc:	█ bauerb@chromium.org aga...@chromium.org
Components:	Infra>UICatalogue
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Ensure UI Catalog can only access screenshots that its user is allowed to access.

Project Member Reported by aber...@chromium.org, May 29 2018

Issue description

When landing the UI Catalog in the infra repository, there was a concern that it might give access to screenshots that its user should not have access to. See https://chromium-review.googlesource.com/c/infra/infra/+/1057809/7/appengine/ui_catalogue/pylib/cloud_server.py#42.

Work out what further measures we can take to prevent this.

Comment 1 by aber...@chromium.org, May 29 2018

The relevant code is https://cs.chromium.org/chromium/infra/appengine/ui_catalogue/pylib/cloud_server.py?rcl=7071dd6f14a1d9c134d8b16f1e1c5050da12359d&l=46

Reading https://cloud.google.com/storage/docs/authentication I think this code will only be able to access objects that allow anonymous access (and are hence accessible to all users). Any other access, including using a service account (see https://cloud.google.com/storage/docs/authentication#service_accounts), appears to need an access token. Since there is no authentication code in the UI Catalog, it will not have an access token.

agable@ - please comment, or close this bug if you agree.

Comment 2 by aber...@chromium.org, May 30 2018

Components: Infra>UICatalogue

Comment 3 by aber...@chromium.org, May 30 2018

Status: Available (was: Untriaged)

►

Issue 847359 link

Issue metadata

Ensure UI Catalog can only access screenshots that its user is allowed to access.

Issue description

Comment 1 by aber...@chromium.org, May 29 2018

Comment 1 Deleted

Comment 2 by aber...@chromium.org, May 30 2018

Comment 2 Deleted

Comment 3 by aber...@chromium.org, May 30 2018

Comment 3 Deleted

Sign in to add a comment