Friday, 2016-06-03

« Thursday, 2016-06-02 Index Saturday, 2016-06-04 »
*** sdake_ has joined #openstack-security00:02
sdake_hyakuhei around re item #5 of the VMT00:02
sdake_i am planning to add a repository to openstack to serve as a location for the security-analysis that people submit00:02
sdake_the only way to add this is to make it under OSSP governance00:03
sdake_are you good with that?00:03
sdake_or do you recommend I ask on the  mailing list or the like?00:03
sdake_or any other security core with feedback on this point?00:03
sdake_tmcpeak ?00:03
*** ccneill has quit IRC00:07
*** austin987 has joined #openstack-security00:10
sdake_tmcpeak hyakuhei https://review.openstack.org/#/c/300698/300:16
sdake_please have a look00:17
*** jhonandrys has joined #openstack-security00:29
*** jhonandrys has quit IRC00:31
*** markvoelker has joined #openstack-security00:40
*** tmcpeak has quit IRC00:41
*** edtubill has joined #openstack-security00:52
*** browne has quit IRC01:10
*** flerfb0rt has joined #openstack-security01:34
*** KarthikB has joined #openstack-security01:49
*** edtubill has quit IRC01:56
*** edtubill has joined #openstack-security02:00
*** naza2413 has joined #openstack-security02:00
*** unrahul has quit IRC02:00
*** naza2413 has quit IRC02:00
*** edtubill has quit IRC02:04
*** browne has joined #openstack-security02:13
*** KarthikB_ has joined #openstack-security02:46
*** KarthikB has quit IRC02:49
*** yuanying has quit IRC02:50
*** KarthikB_ has quit IRC03:13
*** jass93 has joined #openstack-security03:15
*** flerfb0rt has quit IRC03:19
*** jamielennox is now known as jamielennox|away03:39
*** diazjf has joined #openstack-security03:42
*** markvoelker has quit IRC03:44
*** yuanying has joined #openstack-security03:49
*** LongyanG has quit IRC03:51
*** LongyanG has joined #openstack-security03:53
*** tmcpeak has joined #openstack-security04:02
tmcpeaksdake_: security governance sounds good04:05
sdake_tmcpeak i mean a fresh repository04:05
tmcpeaksdake_: perfect04:05
sdake_tmcpeak security-analysis?04:06
tmcpeakperfect04:06
sdake_i'll get it started, but i am too overloaded to maintain it long term04:06
tmcpeakthat's ok, we'll discuss how to do that in our next meeting04:06
tmcpeakI'll add an agenda item now for it04:06
sdake_ok i'll get cooking with it04:06
sdake_tmcpeak you sure hyakuhei will be good with that model?04:06
sdake_and eveyron eelse04:06
sdake_or do we need wider audience04:07
tmcpeakyeah I'm pretty sure he'll like it, and if we have to move it elsewhere later we will04:07
tmcpeakthis is a good starting place04:07
tmcpeakI've scheduled a place for us to talk about it in the next meeting but that's a week from now04:07
tmcpeaklet's do this with the understanding that it will live here and if something crazy comes up we can revisit04:08
tmcpeaksdake_: ^04:08
tmcpeaksecurity will own the artifacts, the rest is housekeeping04:09
tmcpeakTBH it doesn't make sense anywhere else04:09
sdake_tmcpeak sounds good04:10
sdake_did you see the item 5 of the review relatd to vmt04:10
tmcpeakno, what's this?04:11
tmcpeakoh gotcha04:11
tmcpeakthe review04:11
tmcpeakreading now04:11
tmcpeaksdake_: ok so not the security-doc repo04:12
tmcpeaklet's keep it separate04:12
sdake_do you like the new language04:12
tmcpeakyeah that seems reasonable04:13
tmcpeakthere is a typo I'll add to the review but it seems like a good plan04:13
tmcpeakbasically OSSP isn't on the hook to do the reviews but it can if it chooses04:13
tmcpeakI definitely want a separate repo though, not in security-doc04:14
tmcpeakin the future we might even need to sub-repo04:14
tmcpeakdepending on how big and binary these artifacts get04:14
tmcpeaksecurity-analysis is good04:15
sdake_tmcpeak you have the wrong patch under review04:15
sdake_https://review.openstack.org/#/c/300698/04:15
tmcpeakrly04:15
tmcpeaksec04:15
sdake_ya you have version3 i already fixed that typo in version 404:15
tmcpeakahh04:15
tmcpeakjust clicked old linky from 5:00 ;)04:15
tmcpeakreview.o is being slow04:16
sdake_tmcpeak cool04:16
sdake_well everything else is the ssame04:16
sdake_but i self review after each submission04:16
tmcpeakok then I'm happy with that04:16
sdake_and picked it up and fixeed it04:16
tmcpeakreview.o is working more than it should ;)04:16
sdake_ya i know, but git diff isn't as good as gerrit review ;)04:16
sdake_cool I'll create the repo tonight04:17
sdake_or get a requeest for it created04:17
tmcpeakwait04:17
sdake_and get the governance change in04:17
tmcpeakthis is talking about putting it in security-doc04:17
tmcpeakor am I missing something?04:17
tmcpeakFinally, the04:17
tmcpeak   results of the review, audit, or threat analysis must04:17
tmcpeak   be proposed as a gerrit review in the 'security documentation repository'04:17
tmcpeak   http://git.openstack.org/cgit/openstack/security-doc/'__.04:17
sdake_yes i haven't updated it yet with the proper repo04:17
tmcpeakok cool04:18
tmcpeakupdate that and I think we're gtg04:18
sdake_tmcpeak can you leave a note saying the security team definately wants it  in a different repo and security-analysis is a good choice for name04:18
tmcpeakput that as a comment04:18
tmcpeakyep, done04:19
sdake_thanks04:19
tmcpeakcool man, I'm going to run but great work on this04:19
tmcpeakthanks for driving this04:19
sdake_sure04:19
tmcpeakcool, laters04:19
sdake_its self interest really :)04:19
sdake_i'm not doing it  fory ou i'm doing it for me ;)04:19
sdake_tmcpeak we are in luck, security-analysis is not taken in pypi04:30
*** markvoelker has joined #openstack-security04:44
*** dave-mccowan has quit IRC04:47
*** markvoelker has quit IRC04:49
*** rcernin has joined #openstack-security04:58
*** rcernin has quit IRC05:04
*** diazjf has quit IRC05:08
*** yuanying has quit IRC05:17
*** tmcpeak has quit IRC05:20
openstackgerritMerged openstack/security-doc: Add OSSN-0063  https://review.openstack.org/26780005:24
*** rcernin has joined #openstack-security05:46
*** yuanying has joined #openstack-security06:05
*** vinaypotluri has quit IRC06:10
*** openstackgerrit has quit IRC06:17
*** openstackgerrit has joined #openstack-security06:17
*** yuanying has quit IRC06:28
*** cgross has quit IRC06:28
*** yuanying has joined #openstack-security06:29
*** lmiccini has quit IRC06:29
*** yuanying has quit IRC06:31
*** yuanying has joined #openstack-security06:31
*** cgross has joined #openstack-security06:31
*** lmiccini has joined #openstack-security06:32
*** yuanying has quit IRC06:33
*** yuanying has joined #openstack-security06:34
*** browne has quit IRC06:37
*** markvoelker has joined #openstack-security06:45
*** markvoelker has quit IRC06:58
*** openstackgerrit has quit IRC07:03
*** openstackgerrit has joined #openstack-security07:03
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/32510007:41
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/32510007:49
*** yuanying has quit IRC07:50
*** nikhil has quit IRC07:58
*** Ryan_Lane has quit IRC07:58
*** tpeoples has quit IRC07:58
*** sdake_ has quit IRC08:03
*** webhat_ has joined #openstack-security08:37
*** webhat has quit IRC08:39
*** yuanying has joined #openstack-security08:39
*** tpeoples has joined #openstack-security09:08
*** Ryan_Lane has joined #openstack-security09:11
*** nikhil_ has joined #openstack-security09:17
*** nikhil_ is now known as Guest2723109:17
*** rcernin is now known as rcernin|lunch09:31
*** pcaruana has joined #openstack-security09:44
*** Ryan_Lane has quit IRC10:02
*** tpeoples has quit IRC10:02
*** Guest27231 has quit IRC10:02
*** webhat_ has quit IRC10:16
*** rcernin|lunch is now known as rcernin10:20
*** Trident has quit IRC10:24
*** tpeoples has joined #openstack-security10:32
*** Ryan_Lane has joined #openstack-security10:35
*** Guest27231 has joined #openstack-security10:41
*** Trident has joined #openstack-security10:43
*** webhat_ has joined #openstack-security10:49
*** markvoelker has joined #openstack-security10:55
*** markvoelker has quit IRC11:00
*** tesseract has joined #openstack-security11:33
*** d0ugal has quit IRC11:34
*** pcaruana has quit IRC11:45
*** markvoelker has joined #openstack-security12:11
*** markvoelker has quit IRC12:15
*** markvoelker has joined #openstack-security12:16
*** dave-mccowan has joined #openstack-security12:44
*** sdake has joined #openstack-security12:49
*** d0ugal has joined #openstack-security12:55
*** flerfb0rt has joined #openstack-security12:57
*** aurelien__ has joined #openstack-security13:28
*** KarthikB has joined #openstack-security13:38
*** KarthikB_ has joined #openstack-security13:40
*** edmondsw has joined #openstack-security13:41
*** KarthikB has quit IRC13:43
*** Guest27231 has quit IRC13:45
*** Guest27231 has joined #openstack-security13:46
*** Guest27231 is now known as nikhil13:48
*** tmcpeak has joined #openstack-security13:50
*** ametts has joined #openstack-security13:52
*** salv-orlando has joined #openstack-security14:05
*** KarthikB_ has quit IRC14:06
*** KarthikB has joined #openstack-security14:13
*** mvaldes has joined #openstack-security14:15
*** KarthikB has quit IRC14:19
*** KarthikB has joined #openstack-security14:19
*** sigmavirus24_awa is now known as sigmavirus2414:22
*** KarthikB has quit IRC14:24
*** KarthikB has joined #openstack-security14:30
*** KarthikB_ has joined #openstack-security14:31
*** KarthikB has quit IRC14:35
*** KarthikB_ has quit IRC14:35
*** rcernin has quit IRC14:46
*** tmcpeak has quit IRC14:50
*** KarthikB has joined #openstack-security14:55
*** zul has quit IRC15:05
*** zul has joined #openstack-security15:05
*** tmcpeak has joined #openstack-security15:06
*** aurelien__ has quit IRC15:10
*** KarthikB has quit IRC15:11
*** KarthikB has joined #openstack-security15:18
*** KarthikB has quit IRC15:22
*** yeahitsme has joined #openstack-security15:22
*** KarthikB has joined #openstack-security15:24
*** KarthikB has quit IRC15:28
*** KarthikB has joined #openstack-security15:30
*** rcernin has joined #openstack-security15:31
*** yeahitsme has left #openstack-security15:32
*** KarthikB has quit IRC15:34
*** KarthikB has joined #openstack-security15:34
*** ninag has joined #openstack-security15:34
*** ninag has quit IRC15:35
*** jmckind has joined #openstack-security15:38
*** d0ugal has quit IRC15:39
*** rcernin has quit IRC15:39
*** ccneill has joined #openstack-security15:44
*** KarthikB has quit IRC15:48
*** KarthikB has joined #openstack-security15:48
*** KarthikB has quit IRC15:53
*** KarthikB has joined #openstack-security15:54
*** jmckind has quit IRC15:57
*** KarthikB has quit IRC15:59
*** KarthikB has joined #openstack-security15:59
*** mdong has joined #openstack-security16:00
*** liverpooler has quit IRC16:01
*** vinaypotluri has joined #openstack-security16:04
*** diazjf has joined #openstack-security16:11
*** unrahul has joined #openstack-security16:13
*** jmckind has joined #openstack-security16:13
*** woodburn has joined #openstack-security16:17
*** woodburn has left #openstack-security16:19
*** tesseract has quit IRC16:19
*** rcernin has joined #openstack-security16:31
*** jmckind has quit IRC16:35
*** jmckind has joined #openstack-security16:36
*** datadog327 has joined #openstack-security16:47
*** KarthikB has quit IRC16:53
*** nkinder has quit IRC16:56
*** nkinder has joined #openstack-security16:56
*** KarthikB has joined #openstack-security16:59
*** KarthikB has quit IRC17:04
*** KarthikB has joined #openstack-security17:06
*** jmckind has quit IRC17:06
*** jmckind has joined #openstack-security17:06
*** KarthikB has quit IRC17:11
*** jmckind has quit IRC17:11
*** salv-orlando has quit IRC17:11
*** salv-orlando has joined #openstack-security17:12
*** KarthikB has joined #openstack-security17:12
sdakehyakuhei tmcpeak need a ptl+1 on the security analysis repository review https://review.openstack.org/#/c/325049/17:15
*** KarthikB has quit IRC17:17
*** KarthikB has joined #openstack-security17:18
*** KarthikB has quit IRC17:23
*** mdong has quit IRC17:24
*** KarthikB has joined #openstack-security17:25
*** KarthikB has quit IRC17:29
*** mvaldes has quit IRC17:31
*** KarthikB has joined #openstack-security17:31
*** KarthikB has quit IRC17:36
*** KarthikB has joined #openstack-security17:39
tmcpeaksdake: taking a look now17:43
*** KarthikB has quit IRC17:43
*** mdong has joined #openstack-security17:44
tmcpeaksdake: with ajaeger's change I think we're good17:45
*** KarthikB has joined #openstack-security17:45
sdaketmcpeak ya I can make his changes, but I need Rob's +117:47
sdakeor ajeager wont merge the patch17:47
sdake(its an infrastructure requirement)17:47
sdakei could merge it outside of the security project17:47
sdakebut that would be gaming the system, which i dont do :)17:47
tmcpeakhyakuhei might be out for the weekend ;)17:49
tmcpeaklate in England17:49
openstackgerritOpenStack Proposal Bot proposed openstack/anchor: Updated from global requirements  https://review.openstack.org/31434718:10
*** mvaldes has joined #openstack-security18:36
*** KarthikB has quit IRC18:44
*** zul has quit IRC18:45
*** zul has joined #openstack-security18:51
*** zul has quit IRC18:56
*** zul has joined #openstack-security18:56
*** salv-orl_ has joined #openstack-security19:15
*** salv-orlando has quit IRC19:18
*** ametts has quit IRC19:22
*** austin987 has quit IRC19:33
*** turvey has joined #openstack-security20:11
*** turvey has quit IRC20:15
*** rcernin has quit IRC20:15
*** mwturvey has joined #openstack-security20:15
*** datadog327 has quit IRC20:31
*** diazjf has quit IRC20:42
*** mvaldes has quit IRC21:04
*** salv-orl_ has quit IRC21:06
*** salv-orlando has joined #openstack-security21:07
*** edtubill has joined #openstack-security21:09
unrahulmdong: ccneill  Guys, it seems there was already an input validation sort of issue.. in vAPI21:10
ccneillnice21:10
ccneillwhat is it?21:10
unrahulmdong: ccneill in user creation part, json.decode need it to be ascii21:10
unrahulmdavidson: ccneill  so what i did was, just put a try  catch block around it and added a custom handler to print a stack trace sort of.. with the error code21:11
unrahulccneill: mdong , can yyou guys check this out and see if we need to add another string validation issue.. as well https://github.com/rahulunair/vulnerable-api/commit/dd24f0899b33cc6b8f261678a513cc06816b8f3e21:12
*** mwturvey has left #openstack-security21:12
unrahulccneill: mdong  Now the vAPI will show a trace for al 500, 400 and 403 errors.. I wrote a handler method, otherwise the error is wrapped in html..21:12
vinaypotluriCharles  so i want to confirm if I have to just print the default stacktrace or a custom msg21:13
vinaypotlurihttps://www.irccloud.com/pastebin/4qnFBMPv/21:13
ccneillunrahul / vinaypotluri : does the API not return the stacktrace on exceptions currently?21:13
unrahulunrahul: nop21:13
ccneillhmm21:13
vinaypotlurinot by default21:14
unrahulccneill: it gets stuck.. if something goes wrong..at times21:14
ccneillgimme a second21:14
*** flerfb0rt has quit IRC21:15
unrahulccneill:  mdong In a way, it does throw the interpreter stack trace from the server. at time. but do we want that..? I thought  it be would be better to have a custom one as normally any real framework would have a custom trace ryt..?21:18
ccneillso right now it looks like it's throwing an HTML error page21:18
ccneillbut I think if you change this line21:18
ccneillhttps://github.com/rahulunair/vulnerable-api/blob/dd24f0899b33cc6b8f261678a513cc06816b8f3e/ansible/roles/api/files/vAPI.py#L25921:18
ccneillto include debug=True21:19
ccneillthat *should* cause bottle to return the stacktrace when an exception is unhandled21:19
*** austin987 has joined #openstack-security21:19
ccneillI see that debug(True) is in there, but their docs aren't really clear on what the difference is..21:19
mdongso right now doesn’t it still return a stacktrace on 500s?21:20
ccneilloh yeah21:20
ccneillderp21:20
unrahulha.. yeah.. debug(True) returns a stacktrace from the interpreter21:20
unrahulbut.. it doesnt give much details.. like the status code and all21:20
ccneillI should've just looked at my responses from Burp21:20
ccneillyeah, it's already returning a stacktrace21:20
ccneillso that's fine21:20
unrahulSo do we need a custom handler... ?21:21
ccneillso long as a stacktrace is encountered and it spits it out from the API, we're good21:21
ccneillno need to do anything special21:21
mdongnah the current 500s are fine21:21
unrahulfor others.. like 4xx ..?21:22
ccneillwe just want it to handle it like a default bottle/flask/etc. app would21:23
ccneillnothing fancy21:23
ccneillif an unhandled exception is thrown, throw the stacktrace; if not, just print a generic error (404/whatever)21:23
ccneillwe don't want to make it too easy for ourselves :)21:23
unrahulryt.. sounds good..21:24
ccneill>< gerrit's down21:24
*** edtubill has quit IRC21:37
*** tmcpeak1 has joined #openstack-security21:40
*** tmcpeak1 has quit IRC21:40
*** tmcpeak has quit IRC21:41
*** dave-mccowan has quit IRC21:54
*** mdong_ has joined #openstack-security22:01
*** mdong has quit IRC22:05
*** mdong_ is now known as mdong22:05
*** mdong has quit IRC22:29
*** markvoelker has quit IRC22:31
*** edmondsw has quit IRC22:41
*** alejandro has joined #openstack-security23:16
*** alejandro has quit IRC23:18
« Thursday, 2016-06-02 Index Saturday, 2016-06-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!