[users at bb.net] Restrict user access to /json and other magic urls
Narunas Krasauskas
narun4sk at gmail.com
Fri Aug 19 09:56:58 UTC 2016
Hi bb-users,
At present I'm exploring Buildbot version 0.8.14, which I have installed
via pip.
After reading:
http://docs.buildbot.net/current/manual/cfg-statustargets.html?highlight=authz#webstatus-configuration-parameters
I ended with the following config:
auth_usr = auth.BasicAuth([('usr', 'pwd')])
authz_cfg=authz.Authz(
auth=auth_usr,
view = 'auth',
forceBuild = 'auth',
forceAllBuilds = False,
pingBuilder = False,
gracefulShutdown = False,
pauseSlave = 'auth',
stopBuild = 'auth',
stopAllBuilds = False,
cancelPendingBuild = 'auth',
cancelAllPendingBuilds = False,
stopChange = 'auth',
cleanShutdown = True,
showUsersPage = False,
)
c['status'].append(
html.WebStatus(
http_port='tcp:8010:interface=46.101.x.x',
authz=authz_cfg,
change_hook_auth=['file:changehook.passwd'],
change_hook_dialects={'gitlab': True},
)
)
Such config at a first glance work in a way you would expect it to and
restrict user access to urls such as http://46.101.x.x:8010/builders.
However if I specify URL in full:
http://46.101.x.x:8010/builders/my-builder/builds/0/steps/git/logs/stdio
I get full access to the details, regardless the fact that I'm logged off.
Just to prove myself that I'm not insane and that I'm not experiencing some
kind of browser cache issue I've tried to open that url in the different
browser and it worked.
Same applies to the /json. I don't have to be logged in to browse through
developer emails, server IP addresses and ports, revision IDs and other
vital information.
Currently the only way I can think of to enhance security is to put
Buildbot behind reverse proxy...
Has security never been the main goal of the Buildbot, or have I just found
a nasty bug?
Thanks
Narunas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20160819/f1b997d4/attachment.html>
More information about the users
mailing list