Disclosure of S3 secret access key

(Asher Densmore Lynn) #1

I was working on a Discourse forum – v2.0.0.beta9 – recently, when I spotted the Files tab of the administrative settings. I was surprised to see the S3 secret key displayed to the user, and I was horrified to observe that my changes to it were echoed, in full, in the dashboard logs.

This means that an attacker who manages to simply observe the Files tab has the ability to seize and delete Discourse backups during a rampage.

Please consider not displaying the secret key to even administrative users, and simply noting who changed the key and when in the audit trail.


(Jeff Atwood) #2

This is a bit of a catch-22, how is the admin entering the setting supposed to not see the setting they are entering?

Better advice is to simply limit who has admin access, and limit who has direct SSH access to the server.

(Asher Densmore Lynn) #3

They can see it when they set it, but when the UI is loaded, that field should be blank. If somebody shoulder-surfs me they should see the userID and the blank password field, just like the password-change dialogue on every user account page on every website I’ve encountered since the mid-2000s.

(Jeff Atwood) #4

I see, so you’re advocating for having the field hidden behind an extra click?

(Asher Densmore Lynn) #5

Well, my preference would be to standardize on the usual behavior – it should not appear even to the administrator; there should be a field where the administrator sets it, and it should load /blank/ instead of filled. Honestly, the only time I ever see click-to-reveal is when you’re dealing with something designed to store sets of credentials, not a single one, but click-to-reveal would resolve that half of it, yes.

Either way, though, the log entries that show setting changes that echo the password back in plaintext are… not a common behavior.

(Jay Pfaffman) #6

You can set them in the app.yml file and have them not show up in settings. Docker deployment with custom site_settings.yml provides hints

(Asher Densmore Lynn) #7

Well, yeah, and I can use an EC2 instance-role too and honestly I probably will be switching to that.

(Jeff Atwood) #8

Do you have any thoughts on how we could improve here @mpalmer? It is a Discourse core value™ to be safe by default, so it is worth thinking about any small things we can improve here as we go.

(Matt Palmer) #9

There’s two separate issues here, to my mind:

  1. Logging changes to sensitive data: I think that definitely needs to be fixed. We scrub passwords and API keys from logs, the same thing should definitely apply to S3 secret keys, IMO.
  2. Shoulder-surfing creds: Leaving the box blank, even though there’s a value set, seems like a UX nightmare – I predict “I entered the S3 key and now it’s gone!” support requests if we did that. It is handy to be able to check on an entered value to make sure it’s right – I’ve noticed a steady increase in the number of password entry boxes that have “click to show” ability. That seems like a reasonable middle ground to me – hide it behind dots or something by default, with a “click to show” option.

(Asher Densmore Lynn) #10

That’d settle it for me, yes.

(Jeff Atwood) #11

I think we should do part 1 in the 2.0 release, @techapj can you assist? It seems relatively straightforward, if we are doing it elsewhere? Let me know if it is not.

(Arpit Jalan) #12

While we are at it, should we scrub all these “secret” settings from staff logs?

  • google_oauth2_client_secret
  • twitter_consumer_secret
  • instagram_consumer_secret
  • facebook_app_secret
  • github_client_secret
  • s3_secret_access_key

The previous and new value will be replaced with [FILTERED], just like what we do in /logs. Example:

(Jeff Atwood) #13

Yes probably, I think the same logic would apply.

(Arpit Jalan) #14

Part 1 done in:

(Jeff Atwood) #15

I guess the logic should be, screen any setting from logs that has the string “secret” in it? Or _secret if you want to be careful.

(Arpit Jalan) #16

Got it. Will amend the logic to scrub any setting that has _secret in the name.

(Matt Palmer) #17

Since I’m sure more sensitive settings will appear in the future, and plugins may add some also, would it be particularly tricky to add the ability to mark “sensitive” site settings as such in site_settings.yml?

(Arpit Jalan) #18

Done in:

As per the current logic, these 8 settings will be scrubbed:

  • google_oauth2_client_secret
  • twitter_consumer_secret
  • instagram_consumer_secret
  • facebook_app_secret
  • github_client_secret
  • s3_secret_access_key
  • push_api_secret_key
  • sso_secret

Added on my list.

(Asher Densmore Lynn) #19

Wow, thanks a lot. Just in time for me to… switch to instance-role credentials. :smiley:

But seriously, thanks for getting it done!

(Matt Palmer) #20

I presume you’re familiar with the security considerations around instance role creds and SSRF vulnerabilities? It’s quite a pity AWS doesn’t protect the metadata store with a magic header like GCP does.