couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: SmileUpps Features (Was: How do CouchApps fit into the CouchDB story? (Was: CouchDB Articles, Pills and Tutorials Ideas))
Date Tue, 05 May 2015 17:08:27 GMT

> On 05 May 2015, at 18:53, Giovanni Lenzi <g.lenzi@smileupps.com> wrote:
> 
>> I found a massive security concern
> 
> I still haven't heard of a single path for exploit, but ok...

I make a GET request to http://<ip-address>:<port>/database/_all_docs?include_docs=true
authenticated as one of your users, with your couchapp in it. In CouchDB parlance, I get all
docs if I have access to the db. There is no way of making CouchDB only return “my” documents
and not documents from other users. There is also no way of forcing me another route. What
happens on your system?

> everyone will remain with his own convinctions

I’m trying to find out if I misunderstand a system that I designed. I must be missing something.
Are you not saying you can make it so multiple users can share one database and only get r/w
access to their own docs?

Best
Jan
--

> 
> Thanks for your patience too
> 
> 
> 2015-05-05 17:09 GMT+02:00 Jan Lehnardt <jan@apache.org>:
> 
>> 
>>> On 05 May 2015, at 16:36, Giovanni Lenzi <g.lenzi@smileupps.com> wrote:
>>> 
>>>> otherwise, again, the system is insecure (I helped build it that way).
>>> To tell the truth, with handlers renaming or as soon as an attacker
>> doesn't
>>> know your db name, the system can still be secured withouth any proxy.
>> However,
>>> if proxy is really a concern, a fix to use CouchDB only, could eventually
>>> be creating a new "default _rewrite path" parameter within couchdb
>>> configuration, to be used as "default path" in case of request without or
>>> with an incorrect "Host Header"
>>> 
>>> Jan, trust me... All I'm doing here is to bring help with marketing,
>>> tutorials and CouchDB improvements... I hope this can be recognized
>> 
>> No worries, I 100% recognise your efforts.
>> 
>> Thank you for being patient with me.
>> 
>> My only concern was with understanding how your particular flavour of
>> CouchApp
>> works and I think I found a massive security concern. That’s why I won’t be
>> advocating for this particular solution (not saying it can’t be, but it
>> isn’t
>> today).
>> 
>> With that out of the way, let’s get back to the story part of this
>> discussion.
>> 
>> Thanks
>> Jan
>> --
>> 
>> 
>>> 
>>> 
>>> 2015-05-05 15:57 GMT+02:00 Jan Lehnardt <jan@apache.org>:
>>> 
>>>> 
>>>>> On 05 May 2015, at 15:50, Giovanni Lenzi <g.lenzi@smileupps.com>
>> wrote:
>>>>> 
>>>>>> CouchDB has no way of blocking requests to _changes that have no
>> filter
>>>>> parameter
>>>>> Why? _rewrite handler is used to allow only requests complying with
>> your
>>>>> api, and therefore preventing requests to changes withouth a filter.
>> You
>>>>> can have a look to rewrites.json file for this.
>>>>> 
>>>>> I agree proxy is a best practice as a load balancer and to forward only
>>>>> requests to allowed vhosts, like Smileupps, Iriscouch or Cloudant all
>> are
>>>>> doing, even if it's not strictly mandatory for security.
>>>>> 
>>>>> Anyway, I was not interested here, in raising this kind of technical
>>>>> discussion. My starting e-mail only wanted to be constructive, by
>>>> proposing
>>>>> a way to push content around CouchDB and Couchapps, to help everyone
>>>>> understand what they really can and cannot do.
>>>> 
>>>> I’m sorry to derail this, but I want to make sure I understand your
>> system
>>>> before I can argue for or against your claims :)
>>>> 
>>>> Your point that CouchApps can be a platform is well taken, thank you for
>>>> that!
>>>> 
>>>> You equally can’t force a client to use a _request handler, only if you
>>>> block requests without a Host: header in a proxy in front of CouchDB,
>>>> otherwise, again, the system is insecure (I helped build it that way).
>>>> 
>>>> Best
>>>> Jan
>>>> --
>>>> 
>>>> 
>>>>> 
>>>>> 
>>>>> 2015-05-05 15:21 GMT+02:00 Jan Lehnardt <jan@apache.org>:
>>>>> 
>>>>>> 
>>>>>>> On 05 May 2015, at 15:14, Giovanni Lenzi <g.lenzi@smileupps.com>
>>>> wrote:
>>>>>>> 
>>>>>>>> That happens in a proxy outside of CouchDB then?
>>>>>>> 
>>>>>>> No, it happens in the changes filter of the design document.
>>>>>> 
>>>>>> You cannot force a client to use a filter. CouchDB has no way of
>>>> blocking
>>>>>> requests to _changes that have no filter parameter. If you are not
>> doing
>>>>>> that in a proxy, your system is not secure.
>>>>>> 
>>>>>> Best
>>>>>> Jan
>>>>>> --
>>>>>> Professional Support for Apache CouchDB:
>>>>>> http://www.neighbourhood.ie/couchdb-support/
>>>>>> 
>>>>>> 
>>>> 
>>>> --
>>>> Professional Support for Apache CouchDB:
>>>> http://www.neighbourhood.ie/couchdb-support/
>>>> 
>>>> 
>> 
>> --
>> Professional Support for Apache CouchDB:
>> http://www.neighbourhood.ie/couchdb-support/
>> 
>> 

-- 
Professional Support for Apache CouchDB:
http://www.neighbourhood.ie/couchdb-support/


Mime
View raw message