| SvenKieske | I'm still reading through the above bug report, but personally I always treated rmq queues as private, containing possibly very sensitive information. | 08:13 |
|---|---|---|
| SvenKieske | where is the security boundary crossed here exactly? are there really deployments where notification queues are readable by untrusted users? <- honest question, I don't know! | 08:14 |
| SvenKieske | I mean, it might be worth to patch this, irrespective of a discussion if this is a security issue, but on the other hand patching this as a security issue makes me expect that I can shovel my rabbitmq notifcations straight to untrusted users. can I really do that without causing harm? I don't know! | 08:17 |
| SvenKieske | e.g. looking at the patch at https://review.opendev.org/c/openstack/oslo.messaging/+/891096/7/oslo_messaging/notify/notifier.py what is considered a "safe value" there might very well be sensitive user data for some users/people, like user name, the whole auth user stuff, project name etc. | 08:19 |
| SvenKieske | I guess I'll directly reply on the patch/review | 08:20 |
| fungi | SvenKieske: yeah, i think a bit part of it is that we may not document that notifications can include sensitive information, while people assume they're like service logs (where we at least try to redact authentication credentials at log levels above debug) | 12:05 |
| SvenKieske | I'd personally just document they may contain sensitive information and move on (and of course not log auth tokens still!) | 12:22 |
| SvenKieske | but that's just me. I like the allow list approach, better than denylisting stuff that should not be logged | 12:23 |
| fungi | it's definitely a grey area, because we treat credential leaks into service logs as a vulnerability (except at debug level), and the projects have existing facilities to redact content in notifications, i just think nobody realized that if the notification payload was supplied with context, that context would include keystone tokens and be serialized into the notification payload | 12:39 |
| fungi | especially since it only happens with some notification drivers | 12:40 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!