*DESCRIPTION*
A medium severity security vulnerability in Galaxy Data Libraries was recently discovered by Jelle Scholtalbers, and in the course of investigating this vulnerability, we discovered multiple related attack vectors.
This vulnerability allows the following unauthorized actions:
1. Any user that has been granted the permission to add datasets to a library, library folder, or to modify an existing library dataset (an "authorized user"), is able to import any file on the system that is readable by the user running the Galaxy server.
2. Anyone can create libraries and library folders (but not add datasets to them)
This is possible due to incorrect checking of admin privileges and for symbolic links in the user's `user_library_import_dir`. Neither case can be exploited directly through the Galaxy UI, but both can be exploited through the API. Case #1 is not exploitable by any user who is not an "authorized user" or if none of `library_import_dir`, `user_library_import_dir`, and `allow_path_paste` (formerly `allow_library_path_paste`) are set in galaxy.ini.
This vulnerability has assigned the disclosure ID GX-2017-0001.
*AFFECTED VERSIONS*
This vulnerability affects all known versions of Galaxy.
*IMPACT*
The more severe vulnerability (reading arbitrary files) can only be exploited by users with elevated library privileges, so its exploitability is limited to users whom the Galaxy server admin(s) presumably know and trust. The creation of arbitrary libraries and folders is a nuisance, but not in and of itself a security issue.
*SOLUTION*
Per our security policies[1], we have implemented fixes for versions of Galaxy from 16.07 through the forthcoming 17.09. These have been committed to the corresponding `release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository.
Releases prior to 16.07 will remain vulnerable and should be updated to a supported release as soon as possible.
If your user `user_library_import_dir` or any of its parents are symlinks, user library imports will fail. You should put the fully canonicalized absolute path in this galaxy.ini option.
Because the fix disallows symlinks in `user_library_import_dir` which point outside the user's particular subdirectory, and because some Galaxy admins may have found this to be a useful ability, we have created a new `user_library_import_symlink_whitelist` option in galaxy.ini that allows admins to configure directories to which symlinks should be allowed. However, please be aware that *any* user with library add/modify privileges and the ability to create symbolic links will be able to import from any whitelisted directory. There is no per-user restriction for whitelisted directories.
*INSTRUCTIONS*
The fixes are available on the `release_16.07` through `release_17.09` and `dev` branches in the Galaxy GitHub repository[2]. You can simply `git pull` or use your normal update procedure to get the changes.
For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER PROCESSES*.
--nate (on behalf of the Galaxy Committers)
[1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md [2] https://github.com/galaxyproject/galaxy/
galaxy-dev@lists.galaxyproject.org