Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove osd-name from response headers #574

Closed
wants to merge 1 commit into from
Closed

Remove osd-name from response headers #574

wants to merge 1 commit into from

Conversation

tmarkley
Copy link
Contributor

@tmarkley tmarkley commented Jun 30, 2021
edited
Loading

This is a draft PR to gather feedback.

Description

Addresses a potential security risk where the header could be used for targeted attacks. Depending on the deployment configuration, this header may include the IP address of the host. The header is included even if an error response is returned, meaning that it's possible that anyone could get access to this information, even if they are not authenticated/authorized to access the Dashboards instance.

As for why this header exists in the first place, I dug back through the commit history and found this comment attach the app name to the server, so we can be sure we are actually talking to kibana here (which was merged to the main repo): https://github.com/pgayvallet/kibana/blob/ec481861799ed8dcced9cafd8112e5b26e641c54/src/legacy/server/http/index.js#L63

However, there aren't any references that I could find in our code base or for any plugins that require this header. I can keep digging for more information.

Testing

Screen Shot 2021-07-06 at 1 28 40 PM

Issues Resolved

N/A - security risk

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

Removes osd-name from response headers
17002b1 
Addresses a potential security risk where the header could be used for
targeted attacks.

Signed-off-by: Tommy Markley <markleyt@amazon.com>
@tmarkley tmarkley self-assigned this Jun 30, 2021
@tmarkley tmarkley marked this pull request as draft June 30, 2021 23:45
@opensearch-ci-bot
Copy link
Collaborator

✅   DCO Check Passed 17002b1

@kavilla
Copy link
Member

kavilla commented Jun 30, 2021

This has no impact in the application? Do plugins consume it?

@tmarkley
Copy link
Contributor Author

tmarkley commented Jul 1, 2021

This has no impact in the application? Do plugins consume it?

@kavilla I did some basic smoke tests and everything was fine. I also searched across repos for both "osd-name" and "kbn-name" and didn't find anything. I can post that information in the description.

@galangel
Copy link
Contributor

galangel commented Jul 1, 2021

@tmarkley Hi, can you elaborate on why this header was necessary or give some examples of the possible exploit?
I'm just not sure why it was there in the first place.

@tmarkley
Copy link
Contributor Author

tmarkley commented Jul 1, 2021

@tmarkley Hi, can you elaborate on why this header was necessary or give some examples of the possible exploit?

I'm just not sure why it was there in the first place.

@galangel Yeah, great question. Depending on the deployment configuration, this header can actually include the IP address of the host. The header is included even if an error response is returned, meaning that it's possible that anyone could get access to this information, even if they are not authenticated/authorized to access the Dashboards instance.

As for why it was there, I had to dig back through the commit history to try to figure that out. The only information I've found thus far was the comment 'attach the app name to the server, so we can be sure we are actually talking to kibana' here (which was merged to the main repo): https://github.com/pgayvallet/kibana/blob/ec481861799ed8dcced9cafd8112e5b26e641c54/src/legacy/server/http/index.js#L63

However, there aren't any references that I could find in our code base or for any plugins that require this header. I can keep digging for more information.

@tmarkley tmarkley changed the title Removes osd-name from response headers Remove osd-name from response headers Jul 1, 2021
@tmarkley tmarkley removed the v1.0.0 label Jul 7, 2021
@tmarkley
Copy link
Contributor Author

Closing for now - we want to be hesitant with breaking changes for our 1.x releases, there is a known workaround (changing the http config name), and this only applies to a small subset of environments.

@tmarkley tmarkley closed this Jul 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seraphjiang seraphjiang Awaiting requested review from seraphjiang

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@ananzh ananzh Awaiting requested review from ananzh ananzh is a code owner

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki will be requested when the pull request is marked ready for review AMoo-Miki is a code owner

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc will be requested when the pull request is marked ready for review ashwin-pc is a code owner

@joshuarrrr joshuarrrr Awaiting requested review from joshuarrrr joshuarrrr will be requested when the pull request is marked ready for review joshuarrrr is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 will be requested when the pull request is marked ready for review abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon will be requested when the pull request is marked ready for review zengyan-amazon is a code owner

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu will be requested when the pull request is marked ready for review zhongnansu is a code owner

@manasvinibs manasvinibs Awaiting requested review from manasvinibs manasvinibs will be requested when the pull request is marked ready for review manasvinibs is a code owner

@ZilongX ZilongX Awaiting requested review from ZilongX ZilongX will be requested when the pull request is marked ready for review ZilongX is a code owner

@Flyingliuhub Flyingliuhub Awaiting requested review from Flyingliuhub Flyingliuhub will be requested when the pull request is marked ready for review Flyingliuhub is a code owner

@curq curq Awaiting requested review from curq curq will be requested when the pull request is marked ready for review curq is a code owner

@bandinib-amzn bandinib-amzn Awaiting requested review from bandinib-amzn bandinib-amzn will be requested when the pull request is marked ready for review bandinib-amzn is a code owner

@SuZhou-Joe SuZhou-Joe Awaiting requested review from SuZhou-Joe SuZhou-Joe will be requested when the pull request is marked ready for review SuZhou-Joe is a code owner

@ruanyl ruanyl Awaiting requested review from ruanyl ruanyl will be requested when the pull request is marked ready for review ruanyl is a code owner

@BionIT BionIT Awaiting requested review from BionIT BionIT will be requested when the pull request is marked ready for review BionIT is a code owner

@xinruiba xinruiba Awaiting requested review from xinruiba xinruiba will be requested when the pull request is marked ready for review xinruiba is a code owner

@zhyuanqi zhyuanqi Awaiting requested review from zhyuanqi zhyuanqi will be requested when the pull request is marked ready for review zhyuanqi is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric will be requested when the pull request is marked ready for review mengweieric is a code owner

@LDrago27 LDrago27 Awaiting requested review from LDrago27 LDrago27 will be requested when the pull request is marked ready for review LDrago27 is a code owner

@virajsanghvi virajsanghvi Awaiting requested review from virajsanghvi virajsanghvi will be requested when the pull request is marked ready for review virajsanghvi is a code owner

@sejli sejli Awaiting requested review from sejli sejli will be requested when the pull request is marked ready for review sejli is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 will be requested when the pull request is marked ready for review joshuali925 is a code owner

@huyaboo huyaboo Awaiting requested review from huyaboo huyaboo will be requested when the pull request is marked ready for review huyaboo is a code owner

Assignees

@tmarkley tmarkley

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tmarkley @opensearch-ci-bot @kavilla @galangel