Newsfeed IFRAME in Fauxton and IP collection

[ermouth <er...@gmail.com>]

Since I hadn’t received any answer at Github, I’d like to raise an
important CouchDB Fauxton security question publicly.

One of the latest Fauxton PRs (
https://github.com/apache/couchdb-fauxton/pull/1284) adds a remote newsfeed
to Fauxton. Emitting a newsfeed in the admin panel in that way may lead to
IP collection of CouchDB instances (or subnets, that is even worse)
somewhere.

Where is this ‘somewhere’ located? Pinging blog.couchdb.org shows it points
to lb.wordpress.com, which seems a bit ridiculous. CouchDB instances are
not uncommon for very critical parts of infrastructure and security
projects, and I doubt anyone wants to expose node IPs to _whatever_ logs,
esp wordpress.com.

So I’d like to ask devs and users: does anyone think adding news to the
admin panel worth creating such a security hole?

ermouth

Re: Newsfeed IFRAME in Fauxton and IP collection

[Robert Samuel Newson <rn...@apache.org>]

Hi,

I share the discomfort in fauxton making a remote connection without warning and agree with Jan that some confirmation screen should be added.

It's also fine for this to be on master while it develops, master is not a release and is not guaranteed to be releasable either. Anyone deploying master directly does so at their own risk.

Finally, we kindly ask that all security related issues are responsibly disclosed to security@couchdb.apache.org.

B.

> On 24 Jun 2020, at 14:46, Jan Lehnardt <ja...@apache.org> wrote:
> 
> 
> 
>> On 24. Jun 2020, at 14:31, ermouth <er...@gmail.com> wrote:
>> 
>>> My PR was meant to start this discussion
>> 
>> Unfortunately it was instead merged to master, which is unbearable imho.
>> Shouldn’t that PR be rolled back and removed from the master branch
>> immediately then?
> 
> 
> as long as we make sure we don’t cut a release from this, which is currently
> not planned, there is no need to rush a revert.
> 
>> As a proposal it’s ok, but to achieve intended goal I think it’s enough to
>> add blogs to Documentation section. Btw making that section look like a
>> grid of tiles with appropriate icons might greatly increase both its
>> attractiveness and UX quality.
> 
> People don’t usually click through to the blog. There is tons of good information
> there that folks in support channels ask questions about time and time again. 
> I wanted to give all this a more prominent spot, so folks can learn about all
> the good stuff on their own.
> 
> Best
> Jan
> —

Re: Newsfeed IFRAME in Fauxton and IP collection

[Jan Lehnardt <ja...@apache.org>]

> On 24. Jun 2020, at 14:31, ermouth <er...@gmail.com> wrote:
> 
>> My PR was meant to start this discussion
> 
> Unfortunately it was instead merged to master, which is unbearable imho.
> Shouldn’t that PR be rolled back and removed from the master branch
> immediately then?


as long as we make sure we don’t cut a release from this, which is currently
not planned, there is no need to rush a revert.

> As a proposal it’s ok, but to achieve intended goal I think it’s enough to
> add blogs to Documentation section. Btw making that section look like a
> grid of tiles with appropriate icons might greatly increase both its
> attractiveness and UX quality.

People don’t usually click through to the blog. There is tons of good information
there that folks in support channels ask questions about time and time again. 
I wanted to give all this a more prominent spot, so folks can learn about all
the good stuff on their own.

Best
Jan
—

Re: Newsfeed IFRAME in Fauxton and IP collection

[ermouth <er...@gmail.com>]

> My PR was meant to start this discussion

Unfortunately it was instead merged to master, which is unbearable imho.
Shouldn’t that PR be rolled back and removed from the master branch
immediately then?

As a proposal it’s ok, but to achieve intended goal I think it’s enough to
add blogs to Documentation section. Btw making that section look like a
grid of tiles with appropriate icons might greatly increase both its
attractiveness and UX quality.

ermouth

Re: Newsfeed IFRAME in Fauxton and IP collection

[Jan Lehnardt <ja...@apache.org>]

Thanks ermouth,

I’m surprised my proposal made it through without discussion. I have the
same question ;D

FWIW, this “leaks” the browser connection to the internet, not necessarily
CouchDB instance data.

For a production version of this, I would at least expect an opt-in button
on that page, before loading remote content.

My PR was meant to start this discussion :)

Best
Jan
—

> On 24. Jun 2020, at 10:33, ermouth <er...@gmail.com> wrote:
> 
> Since I hadn’t received any answer at Github, I’d like to raise an
> important CouchDB Fauxton security question publicly.
> 
> One of the latest Fauxton PRs (
> https://github.com/apache/couchdb-fauxton/pull/1284) adds a remote newsfeed
> to Fauxton. Emitting a newsfeed in the admin panel in that way may lead to
> IP collection of CouchDB instances (or subnets, that is even worse)
> somewhere.
> 
> Where is this ‘somewhere’ located? Pinging blog.couchdb.org shows it points
> to lb.wordpress.com, which seems a bit ridiculous. CouchDB instances are
> not uncommon for very critical parts of infrastructure and security
> projects, and I doubt anyone wants to expose node IPs to _whatever_ logs,
> esp wordpress.com.
> 
> So I’d like to ask devs and users: does anyone think adding news to the
> admin panel worth creating such a security hole?
> 
> ermouth

Re: Newsfeed IFRAME in Fauxton and IP collection

[Jan Lehnardt <ja...@apache.org>]

Thanks ermouth,

I’m surprised my proposal made it through without discussion. I have the
same question ;D

FWIW, this “leaks” the browser connection to the internet, not necessarily
CouchDB instance data.

For a production version of this, I would at least expect an opt-in button
on that page, before loading remote content.

My PR was meant to start this discussion :)

Best
Jan
—

> On 24. Jun 2020, at 10:33, ermouth <er...@gmail.com> wrote:
> 
> Since I hadn’t received any answer at Github, I’d like to raise an
> important CouchDB Fauxton security question publicly.
> 
> One of the latest Fauxton PRs (
> https://github.com/apache/couchdb-fauxton/pull/1284) adds a remote newsfeed
> to Fauxton. Emitting a newsfeed in the admin panel in that way may lead to
> IP collection of CouchDB instances (or subnets, that is even worse)
> somewhere.
> 
> Where is this ‘somewhere’ located? Pinging blog.couchdb.org shows it points
> to lb.wordpress.com, which seems a bit ridiculous. CouchDB instances are
> not uncommon for very critical parts of infrastructure and security
> projects, and I doubt anyone wants to expose node IPs to _whatever_ logs,
> esp wordpress.com.
> 
> So I’d like to ask devs and users: does anyone think adding news to the
> admin panel worth creating such a security hole?
> 
> ermouth