New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 847359 link

Starred by 1 user

Issue metadata

Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Ensure UI Catalog can only access screenshots that its user is allowed to access.

Project Member Reported by aber...@chromium.org, May 29 2018

Issue description

When landing the UI Catalog in the infra repository, there was a concern that it might give access to screenshots that its user should not have access to. See https://chromium-review.googlesource.com/c/infra/infra/+/1057809/7/appengine/ui_catalogue/pylib/cloud_server.py#42.

Work out what further measures we can take to prevent this.
 
The relevant code is https://cs.chromium.org/chromium/infra/appengine/ui_catalogue/pylib/cloud_server.py?rcl=7071dd6f14a1d9c134d8b16f1e1c5050da12359d&l=46

Reading https://cloud.google.com/storage/docs/authentication I think this code will only be able to access objects that allow anonymous access (and are hence accessible to all users). Any other access, including using a service account (see https://cloud.google.com/storage/docs/authentication#service_accounts), appears to need an access token. Since there is no authentication code in the UI Catalog, it will not have an access token.

agable@ - please comment, or close this bug if you agree.
Components: Infra>UICatalogue
Status: Available (was: Untriaged)

Sign in to add a comment