[galaxy-dev] GX-2017-0003: Unauthorized filesystem access via data source tools

Nate Coraor nate at bx.psu.edu
Mon Oct 23 10:50:38 EDT 2017


*DESCRIPTION*

A medium severity security vulnerability in tools utilizing the Galaxy data
source protocol was recently discovered by Dan Blankenberg. This
vulnerability allows anyone able to run an external data source tool to add
to their history any file that is readable by the user running Galaxy jobs
on the host where the job runs. This is due to the Python urllib library's
ability to operate on `file://` URLs and a failure to check for such URLs
in the tool.

This vulnerability has been assigned the disclosure ID GX-2017-0003.

*AFFECTED VERSIONS*

This vulnerability affects all known versions of Galaxy.

*IMPACT*

Many such "external data source" tools are provided with the Galaxy
distribution and are enabled by default (most tools under the "Get Data"
section of the tool panel), meaning that its exploitability is fairly high,
as only one such tool needs to be enabled to be vulnerable, including any
custom data source tools (any tool that uses
`tools/data_source/data_source.py`).
What files will be readable depends entirely upon what the job's user has
access to read on the host(s) where jobs run.

*SOLUTION*

Per our security policies[1], we have created fixes for all affected
versions of Galaxy. These have been committed to the corresponding
`release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository.

Releases prior to 16.07 will remain vulnerable and should be updated to a
supported release as soon as possible.

Eric Rasche recently undertook a hardening of the Galaxy code base against
common security mishaps.[2] This included changing most uses of `urllib` to
`requests`, which does not operate on `file://` URLs. Although no exploits
were identified at that time, we felt this work was of great enough
importance to production Galaxy servers that we backported it to releases
from 16.07 forward. Because of this, and the GX-2017-0001 and GX-2017-0002
vulnerabilities, administrators are strongly encouraged to update
immediately, even if they do not believe their servers are vulnerable.

*INSTRUCTIONS*

The fixes are available on the `release_16.07` through `release_17.09` and
`dev` branches in the Galaxy GitHub repository[3]. You can simply `git
pull` or use your normal update procedure to get the changes.

For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER
PROCESSES*.

--nate (on behalf of the Galaxy Committers)

[1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md
[2] https://github.com/galaxyproject/galaxy/pull/4604
[3] https://github.com/galaxyproject/galaxy/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.galaxyproject.org/pipermail/galaxy-dev/attachments/20171023/7c3182b2/attachment.html>


More information about the galaxy-dev mailing list