Description of problem: The "downloads" route exposed by the openshift-console allows directory listings. A customer has identified this is a vulnerability requiring remediation. Version-Release number of selected component (if applicable): Openshift 4.4.5 How reproducible: every time Steps to Reproduce: 1. Browse to the "downloads" route, https://downloads-openshift-console.apps.FOO.BAR/ Actual results: Confirm that a directory listing is served. Expected results: No directory listing is served. Additional info: $ OPENSHIFT_CONSOLE_DOWNLOADS_ROUTE="$(oc -n openshift-console get route/downloads -o jsonpath='{"https://"}{.spec.host}{"\n"}')" $ echo $OPENSHIFT_CONSOLE_DOWNLOADS_ROUTE https://downloads-openshift-console.apps.FOO.BAR $ curl -k $OPENSHIFT_CONSOLE_DOWNLOADS_ROUTE <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html> <title>Directory listing for /</title> <body> <h2>Directory listing for /</h2> <hr> <ul> <li><a href="amd64/">amd64/</a> <li><a href="arm64/">arm64/</a> <li><a href="ppc64le/">ppc64le/</a> <li><a href="s390x/">s390x/</a> </ul> <hr> </body> </html>
Will check on latest version (later than 4.6.0-0.nightly-2020-08-04-210224)
Why recheck, this is still ASSIGNED, and has, to my knowledge, no attempt at implementing a fix yet. If someone else has implemented a fix, please remove me as the assigned dev :). Otherwise I hope to get around to this this week.
a test case is attached and will be automated
Going with "no docs needed", because this is a small security guard to an out-of-the-way place. Explaining that we are closing a possible data-leak against admins who exec into the downloads pod and drop sensitive content onto the disk under the served directory tree, seems... like it would be more distracting than useful.
Checked on 4.6.0-0.nightly-2020-08-31-224837 From CLI: $ curl -k https://downloads-openshift-console.apps.xxia91aws.qe.devcluster.openshift.com/ <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> </head> <body> <ul> <li><a href="oc-license">license</a></li> <li><a href="amd64/linux/oc">oc (amd64 linux)</a> (<a href="amd64/linux/oc.tar">tar</a> <a href="amd64/linux/oc.zip">zip</a>)</li> <li><a href="amd64/mac/oc">oc (amd64 mac)</a> (<a href="amd64/mac/oc.tar">tar</a> <a href="amd64/mac/oc.zip">zip</a>)</li> <li><a href="amd64/windows/oc.exe">oc (amd64 windows)</a> (<a href="amd64/windows/oc.exe.tar">tar</a> <a href="amd64/windows/oc.exe.zip">zip</a>)</li> <li><a href="arm64/linux/oc">oc (arm64 linux)</a> (<a href="arm64/linux/oc.tar">tar</a> <a href="arm64/linux/oc.zip">zip</a>)</li> <li><a href="ppc64le/linux/oc">oc (ppc64le linux)</a> (<a href="ppc64le/linux/oc.tar">tar</a> <a href="ppc64le/linux/oc.zip">zip</a>)</li> <li><a href="s390x/linux/oc">oc (s390x linux)</a> (<a href="s390x/linux/oc.tar">tar</a> <a href="s390x/linux/oc.zip">zip</a>)</li> </ul> </body> </html> Console display the route as index page looks the same (with links): license oc (amd64 linux) (tar zip) oc (amd64 mac) (tar zip) oc (amd64 windows) (tar zip) oc (arm64 linux) (tar zip) oc (ppc64le linux) (tar zip) oc (s390x linux) (tar zip) @jteagno Could you take a look at the current fix? I think this could be Verified.
(In reply to XiaochuanWang from comment #23) > @jteagno Could you take a look at the current fix? I think this could be > Verified. Thanks! Looks good to me. This can be considered verified.
Thanks! Moving to Verified on 4.6.0-0.nightly-2020-08-31-224837
4.4 and earlier are in maintenance phase [1], so I don't think we need to backport this low-priority fix that far. I'm agnostic about whether this gets picked back to 4.5 or not. I have a really hard time imagining someone accidentally exec'ing into these containers and writing sensitive content to disk. But the backport wouldn't be that hard either. [1]: https://access.redhat.com/support/policy/updates/openshift#dates
If there is need, 4.5 cherry-pick with squashed fixes: https://github.com/multi-arch/console-operator/commit/83cf1c8dfde1568881fb9da4f0a52810d33a9853
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196