Closed Bug 54556 Opened 24 years ago Closed 23 years ago

sanitycheck.cgi can be run by unprivileged accounts

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

Tracking

()

RESOLVED FIXED
Bugzilla 2.14

People

(Reporter: mozilla, Assigned: tara)

References

()

Details

Attachments

(2 files)

http://bugzilla.mozilla.org/sanitycheck.cgi can be run from an
ordinary bugzilla account (e.g. mine).  On a bugs database
as large as bugzilla.mozilla.org, that effectively counts as
a DoS if done repeatedly.
CCing a couple mozilla.org folks.  Any comments on this?
He's got a point.  Making it require a logged-in, priviledged account to use
wouldn't be a bad thing.  Another reason for doing so is that it makes public
some weird inconsistencies in the database, and it's not inconceivable that
these could somehow be used in a security exploit.

It is worth keeping in mind that it's essentially impossible to prevent DoS
attacks on apps like Bugzilla anyway.  All you have to do is construct a
sufficiently complex saved query and run multiple instances simultaneously.
The only point I have to add is that people who perhaps might not have not been
"privileged" have in the past used this facility to report bugs (numbers escape
me, Dave I think it was you?).  I suspect sanitycheck.cgi has been largely
ignored by mozilla.org.  An implementation of bug #45207 should make this a
non-issue.

We should try to remove as many DoS attacks as possible.

It's possible future versions of Bugzilla could have better indexing to reduce
the load those queries generate, and we could restrict the number of concurrent
queries per IP (3 should be plenty).  Not perfect, but many attackers aren't
very advanced.  I believe the major thing we've seen so far is the occasional
bug stomping, so we could probably get to 99%.
Interestingly enough, sanity check only appears on the footer if you're in the
"tweakparams" group.
See also bug 69616 for creating a new group for the ability to run 
sanitycheck.cgi.
Possibly a DOS in quantity -> we'll see about this for 2.14.

I'd be inclined against tightening this up too much on b.m.o though, because
some of us run this on b.m.o and file bugs on it.
Target Milestone: --- → Bugzilla 2.14
perhaps make you log in for it, and require editbugs privs.  I'm sure most of us 
that actually use it legitimately have editbugs.
editbugs is easy to get, what about another group? cansanity?
The problem w/creating a system group (esp. just for sanitycheck) is that it
takes away from the number of available product groups.  I think editbugs should
be restrictive enough as it will keep "just anybody" from running it.
Keywords: patch
I find the &&/|| much harder to understand then a simply if/unless block (esp.
in this instance).  Is there a techincal reason for using this syntax?
There isn't a technical reason for the syntax I used, I just find it cleaner and
more readable in many situations, although I agree that in this case it might be
more logical to break out &confirm_login since that function always returns
either a true value or stops execution.
That's easier to read :)
r=jake
Checked In.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Bug #69616 wasn't about a new group for sanity checks, but I've filed bug #91761
on it.
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.