*** sdake_ has joined #openstack-security | 00:02 | |
sdake_ | hyakuhei around re item #5 of the VMT | 00:02 |
---|---|---|
sdake_ | i am planning to add a repository to openstack to serve as a location for the security-analysis that people submit | 00:02 |
sdake_ | the only way to add this is to make it under OSSP governance | 00:03 |
sdake_ | are you good with that? | 00:03 |
sdake_ | or do you recommend I ask on the mailing list or the like? | 00:03 |
sdake_ | or any other security core with feedback on this point? | 00:03 |
sdake_ | tmcpeak ? | 00:03 |
*** ccneill has quit IRC | 00:07 | |
*** austin987 has joined #openstack-security | 00:10 | |
sdake_ | tmcpeak hyakuhei https://review.openstack.org/#/c/300698/3 | 00:16 |
sdake_ | please have a look | 00:17 |
*** jhonandrys has joined #openstack-security | 00:29 | |
*** jhonandrys has quit IRC | 00:31 | |
*** markvoelker has joined #openstack-security | 00:40 | |
*** tmcpeak has quit IRC | 00:41 | |
*** edtubill has joined #openstack-security | 00:52 | |
*** browne has quit IRC | 01:10 | |
*** flerfb0rt has joined #openstack-security | 01:34 | |
*** KarthikB has joined #openstack-security | 01:49 | |
*** edtubill has quit IRC | 01:56 | |
*** edtubill has joined #openstack-security | 02:00 | |
*** naza2413 has joined #openstack-security | 02:00 | |
*** unrahul has quit IRC | 02:00 | |
*** naza2413 has quit IRC | 02:00 | |
*** edtubill has quit IRC | 02:04 | |
*** browne has joined #openstack-security | 02:13 | |
*** KarthikB_ has joined #openstack-security | 02:46 | |
*** KarthikB has quit IRC | 02:49 | |
*** yuanying has quit IRC | 02:50 | |
*** KarthikB_ has quit IRC | 03:13 | |
*** jass93 has joined #openstack-security | 03:15 | |
*** flerfb0rt has quit IRC | 03:19 | |
*** jamielennox is now known as jamielennox|away | 03:39 | |
*** diazjf has joined #openstack-security | 03:42 | |
*** markvoelker has quit IRC | 03:44 | |
*** yuanying has joined #openstack-security | 03:49 | |
*** LongyanG has quit IRC | 03:51 | |
*** LongyanG has joined #openstack-security | 03:53 | |
*** tmcpeak has joined #openstack-security | 04:02 | |
tmcpeak | sdake_: security governance sounds good | 04:05 |
sdake_ | tmcpeak i mean a fresh repository | 04:05 |
tmcpeak | sdake_: perfect | 04:05 |
sdake_ | tmcpeak security-analysis? | 04:06 |
tmcpeak | perfect | 04:06 |
sdake_ | i'll get it started, but i am too overloaded to maintain it long term | 04:06 |
tmcpeak | that's ok, we'll discuss how to do that in our next meeting | 04:06 |
tmcpeak | I'll add an agenda item now for it | 04:06 |
sdake_ | ok i'll get cooking with it | 04:06 |
sdake_ | tmcpeak you sure hyakuhei will be good with that model? | 04:06 |
sdake_ | and eveyron eelse | 04:06 |
sdake_ | or do we need wider audience | 04:07 |
tmcpeak | yeah I'm pretty sure he'll like it, and if we have to move it elsewhere later we will | 04:07 |
tmcpeak | this is a good starting place | 04:07 |
tmcpeak | I've scheduled a place for us to talk about it in the next meeting but that's a week from now | 04:07 |
tmcpeak | let's do this with the understanding that it will live here and if something crazy comes up we can revisit | 04:08 |
tmcpeak | sdake_: ^ | 04:08 |
tmcpeak | security will own the artifacts, the rest is housekeeping | 04:09 |
tmcpeak | TBH it doesn't make sense anywhere else | 04:09 |
sdake_ | tmcpeak sounds good | 04:10 |
sdake_ | did you see the item 5 of the review relatd to vmt | 04:10 |
tmcpeak | no, what's this? | 04:11 |
tmcpeak | oh gotcha | 04:11 |
tmcpeak | the review | 04:11 |
tmcpeak | reading now | 04:11 |
tmcpeak | sdake_: ok so not the security-doc repo | 04:12 |
tmcpeak | let's keep it separate | 04:12 |
sdake_ | do you like the new language | 04:12 |
tmcpeak | yeah that seems reasonable | 04:13 |
tmcpeak | there is a typo I'll add to the review but it seems like a good plan | 04:13 |
tmcpeak | basically OSSP isn't on the hook to do the reviews but it can if it chooses | 04:13 |
tmcpeak | I definitely want a separate repo though, not in security-doc | 04:14 |
tmcpeak | in the future we might even need to sub-repo | 04:14 |
tmcpeak | depending on how big and binary these artifacts get | 04:14 |
tmcpeak | security-analysis is good | 04:15 |
sdake_ | tmcpeak you have the wrong patch under review | 04:15 |
sdake_ | https://review.openstack.org/#/c/300698/ | 04:15 |
tmcpeak | rly | 04:15 |
tmcpeak | sec | 04:15 |
sdake_ | ya you have version3 i already fixed that typo in version 4 | 04:15 |
tmcpeak | ahh | 04:15 |
tmcpeak | just clicked old linky from 5:00 ;) | 04:15 |
tmcpeak | review.o is being slow | 04:16 |
sdake_ | tmcpeak cool | 04:16 |
sdake_ | well everything else is the ssame | 04:16 |
sdake_ | but i self review after each submission | 04:16 |
tmcpeak | ok then I'm happy with that | 04:16 |
sdake_ | and picked it up and fixeed it | 04:16 |
tmcpeak | review.o is working more than it should ;) | 04:16 |
sdake_ | ya i know, but git diff isn't as good as gerrit review ;) | 04:16 |
sdake_ | cool I'll create the repo tonight | 04:17 |
sdake_ | or get a requeest for it created | 04:17 |
tmcpeak | wait | 04:17 |
sdake_ | and get the governance change in | 04:17 |
tmcpeak | this is talking about putting it in security-doc | 04:17 |
tmcpeak | or am I missing something? | 04:17 |
tmcpeak | Finally, the | 04:17 |
tmcpeak | results of the review, audit, or threat analysis must | 04:17 |
tmcpeak | be proposed as a gerrit review in the 'security documentation repository' | 04:17 |
tmcpeak | http://git.openstack.org/cgit/openstack/security-doc/'__. | 04:17 |
sdake_ | yes i haven't updated it yet with the proper repo | 04:17 |
tmcpeak | ok cool | 04:18 |
tmcpeak | update that and I think we're gtg | 04:18 |
sdake_ | tmcpeak can you leave a note saying the security team definately wants it in a different repo and security-analysis is a good choice for name | 04:18 |
tmcpeak | put that as a comment | 04:18 |
tmcpeak | yep, done | 04:19 |
sdake_ | thanks | 04:19 |
tmcpeak | cool man, I'm going to run but great work on this | 04:19 |
tmcpeak | thanks for driving this | 04:19 |
sdake_ | sure | 04:19 |
tmcpeak | cool, laters | 04:19 |
sdake_ | its self interest really :) | 04:19 |
sdake_ | i'm not doing it fory ou i'm doing it for me ;) | 04:19 |
sdake_ | tmcpeak we are in luck, security-analysis is not taken in pypi | 04:30 |
*** markvoelker has joined #openstack-security | 04:44 | |
*** dave-mccowan has quit IRC | 04:47 | |
*** markvoelker has quit IRC | 04:49 | |
*** rcernin has joined #openstack-security | 04:58 | |
*** rcernin has quit IRC | 05:04 | |
*** diazjf has quit IRC | 05:08 | |
*** yuanying has quit IRC | 05:17 | |
*** tmcpeak has quit IRC | 05:20 | |
openstackgerrit | Merged openstack/security-doc: Add OSSN-0063 https://review.openstack.org/267800 | 05:24 |
*** rcernin has joined #openstack-security | 05:46 | |
*** yuanying has joined #openstack-security | 06:05 | |
*** vinaypotluri has quit IRC | 06:10 | |
*** openstackgerrit has quit IRC | 06:17 | |
*** openstackgerrit has joined #openstack-security | 06:17 | |
*** yuanying has quit IRC | 06:28 | |
*** cgross has quit IRC | 06:28 | |
*** yuanying has joined #openstack-security | 06:29 | |
*** lmiccini has quit IRC | 06:29 | |
*** yuanying has quit IRC | 06:31 | |
*** yuanying has joined #openstack-security | 06:31 | |
*** cgross has joined #openstack-security | 06:31 | |
*** lmiccini has joined #openstack-security | 06:32 | |
*** yuanying has quit IRC | 06:33 | |
*** yuanying has joined #openstack-security | 06:34 | |
*** browne has quit IRC | 06:37 | |
*** markvoelker has joined #openstack-security | 06:45 | |
*** markvoelker has quit IRC | 06:58 | |
*** openstackgerrit has quit IRC | 07:03 | |
*** openstackgerrit has joined #openstack-security | 07:03 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/325100 | 07:41 |
openstackgerrit | Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/325100 | 07:49 |
*** yuanying has quit IRC | 07:50 | |
*** nikhil has quit IRC | 07:58 | |
*** Ryan_Lane has quit IRC | 07:58 | |
*** tpeoples has quit IRC | 07:58 | |
*** sdake_ has quit IRC | 08:03 | |
*** webhat_ has joined #openstack-security | 08:37 | |
*** webhat has quit IRC | 08:39 | |
*** yuanying has joined #openstack-security | 08:39 | |
*** tpeoples has joined #openstack-security | 09:08 | |
*** Ryan_Lane has joined #openstack-security | 09:11 | |
*** nikhil_ has joined #openstack-security | 09:17 | |
*** nikhil_ is now known as Guest27231 | 09:17 | |
*** rcernin is now known as rcernin|lunch | 09:31 | |
*** pcaruana has joined #openstack-security | 09:44 | |
*** Ryan_Lane has quit IRC | 10:02 | |
*** tpeoples has quit IRC | 10:02 | |
*** Guest27231 has quit IRC | 10:02 | |
*** webhat_ has quit IRC | 10:16 | |
*** rcernin|lunch is now known as rcernin | 10:20 | |
*** Trident has quit IRC | 10:24 | |
*** tpeoples has joined #openstack-security | 10:32 | |
*** Ryan_Lane has joined #openstack-security | 10:35 | |
*** Guest27231 has joined #openstack-security | 10:41 | |
*** Trident has joined #openstack-security | 10:43 | |
*** webhat_ has joined #openstack-security | 10:49 | |
*** markvoelker has joined #openstack-security | 10:55 | |
*** markvoelker has quit IRC | 11:00 | |
*** tesseract has joined #openstack-security | 11:33 | |
*** d0ugal has quit IRC | 11:34 | |
*** pcaruana has quit IRC | 11:45 | |
*** markvoelker has joined #openstack-security | 12:11 | |
*** markvoelker has quit IRC | 12:15 | |
*** markvoelker has joined #openstack-security | 12:16 | |
*** dave-mccowan has joined #openstack-security | 12:44 | |
*** sdake has joined #openstack-security | 12:49 | |
*** d0ugal has joined #openstack-security | 12:55 | |
*** flerfb0rt has joined #openstack-security | 12:57 | |
*** aurelien__ has joined #openstack-security | 13:28 | |
*** KarthikB has joined #openstack-security | 13:38 | |
*** KarthikB_ has joined #openstack-security | 13:40 | |
*** edmondsw has joined #openstack-security | 13:41 | |
*** KarthikB has quit IRC | 13:43 | |
*** Guest27231 has quit IRC | 13:45 | |
*** Guest27231 has joined #openstack-security | 13:46 | |
*** Guest27231 is now known as nikhil | 13:48 | |
*** tmcpeak has joined #openstack-security | 13:50 | |
*** ametts has joined #openstack-security | 13:52 | |
*** salv-orlando has joined #openstack-security | 14:05 | |
*** KarthikB_ has quit IRC | 14:06 | |
*** KarthikB has joined #openstack-security | 14:13 | |
*** mvaldes has joined #openstack-security | 14:15 | |
*** KarthikB has quit IRC | 14:19 | |
*** KarthikB has joined #openstack-security | 14:19 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 14:22 | |
*** KarthikB has quit IRC | 14:24 | |
*** KarthikB has joined #openstack-security | 14:30 | |
*** KarthikB_ has joined #openstack-security | 14:31 | |
*** KarthikB has quit IRC | 14:35 | |
*** KarthikB_ has quit IRC | 14:35 | |
*** rcernin has quit IRC | 14:46 | |
*** tmcpeak has quit IRC | 14:50 | |
*** KarthikB has joined #openstack-security | 14:55 | |
*** zul has quit IRC | 15:05 | |
*** zul has joined #openstack-security | 15:05 | |
*** tmcpeak has joined #openstack-security | 15:06 | |
*** aurelien__ has quit IRC | 15:10 | |
*** KarthikB has quit IRC | 15:11 | |
*** KarthikB has joined #openstack-security | 15:18 | |
*** KarthikB has quit IRC | 15:22 | |
*** yeahitsme has joined #openstack-security | 15:22 | |
*** KarthikB has joined #openstack-security | 15:24 | |
*** KarthikB has quit IRC | 15:28 | |
*** KarthikB has joined #openstack-security | 15:30 | |
*** rcernin has joined #openstack-security | 15:31 | |
*** yeahitsme has left #openstack-security | 15:32 | |
*** KarthikB has quit IRC | 15:34 | |
*** KarthikB has joined #openstack-security | 15:34 | |
*** ninag has joined #openstack-security | 15:34 | |
*** ninag has quit IRC | 15:35 | |
*** jmckind has joined #openstack-security | 15:38 | |
*** d0ugal has quit IRC | 15:39 | |
*** rcernin has quit IRC | 15:39 | |
*** ccneill has joined #openstack-security | 15:44 | |
*** KarthikB has quit IRC | 15:48 | |
*** KarthikB has joined #openstack-security | 15:48 | |
*** KarthikB has quit IRC | 15:53 | |
*** KarthikB has joined #openstack-security | 15:54 | |
*** jmckind has quit IRC | 15:57 | |
*** KarthikB has quit IRC | 15:59 | |
*** KarthikB has joined #openstack-security | 15:59 | |
*** mdong has joined #openstack-security | 16:00 | |
*** liverpooler has quit IRC | 16:01 | |
*** vinaypotluri has joined #openstack-security | 16:04 | |
*** diazjf has joined #openstack-security | 16:11 | |
*** unrahul has joined #openstack-security | 16:13 | |
*** jmckind has joined #openstack-security | 16:13 | |
*** woodburn has joined #openstack-security | 16:17 | |
*** woodburn has left #openstack-security | 16:19 | |
*** tesseract has quit IRC | 16:19 | |
*** rcernin has joined #openstack-security | 16:31 | |
*** jmckind has quit IRC | 16:35 | |
*** jmckind has joined #openstack-security | 16:36 | |
*** datadog327 has joined #openstack-security | 16:47 | |
*** KarthikB has quit IRC | 16:53 | |
*** nkinder has quit IRC | 16:56 | |
*** nkinder has joined #openstack-security | 16:56 | |
*** KarthikB has joined #openstack-security | 16:59 | |
*** KarthikB has quit IRC | 17:04 | |
*** KarthikB has joined #openstack-security | 17:06 | |
*** jmckind has quit IRC | 17:06 | |
*** jmckind has joined #openstack-security | 17:06 | |
*** KarthikB has quit IRC | 17:11 | |
*** jmckind has quit IRC | 17:11 | |
*** salv-orlando has quit IRC | 17:11 | |
*** salv-orlando has joined #openstack-security | 17:12 | |
*** KarthikB has joined #openstack-security | 17:12 | |
sdake | hyakuhei tmcpeak need a ptl+1 on the security analysis repository review https://review.openstack.org/#/c/325049/ | 17:15 |
*** KarthikB has quit IRC | 17:17 | |
*** KarthikB has joined #openstack-security | 17:18 | |
*** KarthikB has quit IRC | 17:23 | |
*** mdong has quit IRC | 17:24 | |
*** KarthikB has joined #openstack-security | 17:25 | |
*** KarthikB has quit IRC | 17:29 | |
*** mvaldes has quit IRC | 17:31 | |
*** KarthikB has joined #openstack-security | 17:31 | |
*** KarthikB has quit IRC | 17:36 | |
*** KarthikB has joined #openstack-security | 17:39 | |
tmcpeak | sdake: taking a look now | 17:43 |
*** KarthikB has quit IRC | 17:43 | |
*** mdong has joined #openstack-security | 17:44 | |
tmcpeak | sdake: with ajaeger's change I think we're good | 17:45 |
*** KarthikB has joined #openstack-security | 17:45 | |
sdake | tmcpeak ya I can make his changes, but I need Rob's +1 | 17:47 |
sdake | or ajeager wont merge the patch | 17:47 |
sdake | (its an infrastructure requirement) | 17:47 |
sdake | i could merge it outside of the security project | 17:47 |
sdake | but that would be gaming the system, which i dont do :) | 17:47 |
tmcpeak | hyakuhei might be out for the weekend ;) | 17:49 |
tmcpeak | late in England | 17:49 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/anchor: Updated from global requirements https://review.openstack.org/314347 | 18:10 |
*** mvaldes has joined #openstack-security | 18:36 | |
*** KarthikB has quit IRC | 18:44 | |
*** zul has quit IRC | 18:45 | |
*** zul has joined #openstack-security | 18:51 | |
*** zul has quit IRC | 18:56 | |
*** zul has joined #openstack-security | 18:56 | |
*** salv-orl_ has joined #openstack-security | 19:15 | |
*** salv-orlando has quit IRC | 19:18 | |
*** ametts has quit IRC | 19:22 | |
*** austin987 has quit IRC | 19:33 | |
*** turvey has joined #openstack-security | 20:11 | |
*** turvey has quit IRC | 20:15 | |
*** rcernin has quit IRC | 20:15 | |
*** mwturvey has joined #openstack-security | 20:15 | |
*** datadog327 has quit IRC | 20:31 | |
*** diazjf has quit IRC | 20:42 | |
*** mvaldes has quit IRC | 21:04 | |
*** salv-orl_ has quit IRC | 21:06 | |
*** salv-orlando has joined #openstack-security | 21:07 | |
*** edtubill has joined #openstack-security | 21:09 | |
unrahul | mdong: ccneill Guys, it seems there was already an input validation sort of issue.. in vAPI | 21:10 |
ccneill | nice | 21:10 |
ccneill | what is it? | 21:10 |
unrahul | mdong: ccneill in user creation part, json.decode need it to be ascii | 21:10 |
unrahul | mdavidson: ccneill so what i did was, just put a try catch block around it and added a custom handler to print a stack trace sort of.. with the error code | 21:11 |
unrahul | ccneill: mdong , can yyou guys check this out and see if we need to add another string validation issue.. as well https://github.com/rahulunair/vulnerable-api/commit/dd24f0899b33cc6b8f261678a513cc06816b8f3e | 21:12 |
*** mwturvey has left #openstack-security | 21:12 | |
unrahul | ccneill: mdong Now the vAPI will show a trace for al 500, 400 and 403 errors.. I wrote a handler method, otherwise the error is wrapped in html.. | 21:12 |
vinaypotluri | Charles so i want to confirm if I have to just print the default stacktrace or a custom msg | 21:13 |
vinaypotluri | https://www.irccloud.com/pastebin/4qnFBMPv/ | 21:13 |
ccneill | unrahul / vinaypotluri : does the API not return the stacktrace on exceptions currently? | 21:13 |
unrahul | unrahul: nop | 21:13 |
ccneill | hmm | 21:13 |
vinaypotluri | not by default | 21:14 |
unrahul | ccneill: it gets stuck.. if something goes wrong..at times | 21:14 |
ccneill | gimme a second | 21:14 |
*** flerfb0rt has quit IRC | 21:15 | |
unrahul | ccneill: mdong In a way, it does throw the interpreter stack trace from the server. at time. but do we want that..? I thought it be would be better to have a custom one as normally any real framework would have a custom trace ryt..? | 21:18 |
ccneill | so right now it looks like it's throwing an HTML error page | 21:18 |
ccneill | but I think if you change this line | 21:18 |
ccneill | https://github.com/rahulunair/vulnerable-api/blob/dd24f0899b33cc6b8f261678a513cc06816b8f3e/ansible/roles/api/files/vAPI.py#L259 | 21:18 |
ccneill | to include debug=True | 21:19 |
ccneill | that *should* cause bottle to return the stacktrace when an exception is unhandled | 21:19 |
*** austin987 has joined #openstack-security | 21:19 | |
ccneill | I see that debug(True) is in there, but their docs aren't really clear on what the difference is.. | 21:19 |
mdong | so right now doesn’t it still return a stacktrace on 500s? | 21:20 |
ccneill | oh yeah | 21:20 |
ccneill | derp | 21:20 |
unrahul | ha.. yeah.. debug(True) returns a stacktrace from the interpreter | 21:20 |
unrahul | but.. it doesnt give much details.. like the status code and all | 21:20 |
ccneill | I should've just looked at my responses from Burp | 21:20 |
ccneill | yeah, it's already returning a stacktrace | 21:20 |
ccneill | so that's fine | 21:20 |
unrahul | So do we need a custom handler... ? | 21:21 |
ccneill | so long as a stacktrace is encountered and it spits it out from the API, we're good | 21:21 |
ccneill | no need to do anything special | 21:21 |
mdong | nah the current 500s are fine | 21:21 |
unrahul | for others.. like 4xx ..? | 21:22 |
ccneill | we just want it to handle it like a default bottle/flask/etc. app would | 21:23 |
ccneill | nothing fancy | 21:23 |
ccneill | if an unhandled exception is thrown, throw the stacktrace; if not, just print a generic error (404/whatever) | 21:23 |
ccneill | we don't want to make it too easy for ourselves :) | 21:23 |
unrahul | ryt.. sounds good.. | 21:24 |
ccneill | >< gerrit's down | 21:24 |
*** edtubill has quit IRC | 21:37 | |
*** tmcpeak1 has joined #openstack-security | 21:40 | |
*** tmcpeak1 has quit IRC | 21:40 | |
*** tmcpeak has quit IRC | 21:41 | |
*** dave-mccowan has quit IRC | 21:54 | |
*** mdong_ has joined #openstack-security | 22:01 | |
*** mdong has quit IRC | 22:05 | |
*** mdong_ is now known as mdong | 22:05 | |
*** mdong has quit IRC | 22:29 | |
*** markvoelker has quit IRC | 22:31 | |
*** edmondsw has quit IRC | 22:41 | |
*** alejandro has joined #openstack-security | 23:16 | |
*** alejandro has quit IRC | 23:18 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!