The default bug view has changed. See this FAQ.

sanitycheck.cgi can be run by unprivileged accounts

RESOLVED FIXED in Bugzilla 2.14

Status

()

Bugzilla
Bugzilla-General
P3
minor
RESOLVED FIXED
17 years ago
4 years ago

People

(Reporter: Adam Spiers, Assigned: Tara Hernandez)

Tracking

unspecified
Bugzilla 2.14

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

17 years ago
http://bugzilla.mozilla.org/sanitycheck.cgi can be run from an
ordinary bugzilla account (e.g. mine).  On a bugs database
as large as bugzilla.mozilla.org, that effectively counts as
a DoS if done repeatedly.
CCing a couple mozilla.org folks.  Any comments on this?

Comment 2

17 years ago
He's got a point.  Making it require a logged-in, priviledged account to use
wouldn't be a bad thing.  Another reason for doing so is that it makes public
some weird inconsistencies in the database, and it's not inconceivable that
these could somehow be used in a security exploit.

It is worth keeping in mind that it's essentially impossible to prevent DoS
attacks on apps like Bugzilla anyway.  All you have to do is construct a
sufficiently complex saved query and run multiple instances simultaneously.
The only point I have to add is that people who perhaps might not have not been
"privileged" have in the past used this facility to report bugs (numbers escape
me, Dave I think it was you?).  I suspect sanitycheck.cgi has been largely
ignored by mozilla.org.  An implementation of bug #45207 should make this a
non-issue.

We should try to remove as many DoS attacks as possible.

It's possible future versions of Bugzilla could have better indexing to reduce
the load those queries generate, and we could restrict the number of concurrent
queries per IP (3 should be plenty).  Not perfect, but many attackers aren't
very advanced.  I believe the major thing we've seen so far is the occasional
bug stomping, so we could probably get to 99%.
Interestingly enough, sanity check only appears on the footer if you're in the
"tweakparams" group.

Comment 5

16 years ago
See also bug 69616 for creating a new group for the ability to run 
sanitycheck.cgi.
Possibly a DOS in quantity -> we'll see about this for 2.14.

I'd be inclined against tightening this up too much on b.m.o though, because
some of us run this on b.m.o and file bugs on it.
Target Milestone: --- → Bugzilla 2.14
perhaps make you log in for it, and require editbugs privs.  I'm sure most of us 
that actually use it legitimately have editbugs.

Comment 8

16 years ago
editbugs is easy to get, what about another group? cansanity?

Comment 9

16 years ago
The problem w/creating a system group (esp. just for sanitycheck) is that it
takes away from the number of available product groups.  I think editbugs should
be restrictive enough as it will keep "just anybody" from running it.
Created attachment 36726 [details] [diff] [review]
restricts sanitycheck.pl to users with "editbugs" privileges
Keywords: patch

Comment 11

16 years ago
I find the &&/|| much harder to understand then a simply if/unless block (esp.
in this instance).  Is there a techincal reason for using this syntax?
There isn't a technical reason for the syntax I used, I just find it cleaner and
more readable in many situations, although I agree that in this case it might be
more logical to break out &confirm_login since that function always returns
either a true value or stops execution.
Created attachment 36875 [details] [diff] [review]
breaks out confirm_login

Comment 14

16 years ago
That's easier to read :)
r=jake
Checked In.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Bug #69616 wasn't about a new group for sanity checks, but I've filed bug #91761
on it.
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.