Closed Bug 54556 Opened 24 years ago Closed 24 years ago

sanitycheck.cgi can be run by unprivileged accounts

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.14

People

(Reporter: mozilla, Assigned: tara)

References

(
URL
)

Details

Attachments

(2 files)

restricts sanitycheck.pl to users with "editbugs" privileges
1.12 KB, patch
Details | Diff | Splinter Review
breaks out confirm_login
1.13 KB, patch
Details | Diff | Splinter Review
http://bugzilla.mozilla.org/sanitycheck.cgi can be run from an ordinary bugzilla account (e.g. mine). On a bugs database as large as bugzilla.mozilla.org, that effectively counts as a DoS if done repeatedly.
CCing a couple mozilla.org folks. Any comments on this?
He's got a point. Making it require a logged-in, priviledged account to use wouldn't be a bad thing. Another reason for doing so is that it makes public some weird inconsistencies in the database, and it's not inconceivable that these could somehow be used in a security exploit. It is worth keeping in mind that it's essentially impossible to prevent DoS attacks on apps like Bugzilla anyway. All you have to do is construct a sufficiently complex saved query and run multiple instances simultaneously.
The only point I have to add is that people who perhaps might not have not been "privileged" have in the past used this facility to report bugs (numbers escape me, Dave I think it was you?). I suspect sanitycheck.cgi has been largely ignored by mozilla.org. An implementation of bug #45207 should make this a non-issue. We should try to remove as many DoS attacks as possible. It's possible future versions of Bugzilla could have better indexing to reduce the load those queries generate, and we could restrict the number of concurrent queries per IP (3 should be plenty). Not perfect, but many attackers aren't very advanced. I believe the major thing we've seen so far is the occasional bug stomping, so we could probably get to 99%.
Interestingly enough, sanity check only appears on the footer if you're in the "tweakparams" group.
See also bug 69616 for creating a new group for the ability to run sanitycheck.cgi.
Possibly a DOS in quantity -> we'll see about this for 2.14. I'd be inclined against tightening this up too much on b.m.o though, because some of us run this on b.m.o and file bugs on it.
Target Milestone: --- → Bugzilla 2.14
perhaps make you log in for it, and require editbugs privs. I'm sure most of us that actually use it legitimately have editbugs.
editbugs is easy to get, what about another group? cansanity?
The problem w/creating a system group (esp. just for sanitycheck) is that it takes away from the number of available product groups. I think editbugs should be restrictive enough as it will keep "just anybody" from running it.
Keywords: patch
I find the &&/|| much harder to understand then a simply if/unless block (esp. in this instance). Is there a techincal reason for using this syntax?
There isn't a technical reason for the syntax I used, I just find it cleaner and more readable in many situations, although I agree that in this case it might be more logical to break out &confirm_login since that function always returns either a true value or stops execution.
That's easier to read :) r=jake Checked In.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Bug #69616 wasn't about a new group for sanity checks, but I've filed bug #91761 on it.
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: