Security vunerability on clusters

Description

I will describe this offline.

Environment

None

Activity

Show:
Ziming Dong
April 11, 2018, 5:53 PM

I removed the unused import. can you try validating again, please?

Larsson Omberg
April 12, 2018, 1:15 PM


I see two issues with the user experience:

1) I am now being prompted for my password even though I already stored by credentials. If I didn't know what was going on, I would be very leary of inputing my password and wonder why Synapse "broke" also, most users will most likely not remember how they stored their credentials in the first place.

2) Even though my credentials are getting stored in a new location my old credentials still remain in the .synapseCache/.session. This leaves the vulnerability open to everyone who is only upgrading.

I suggest we should migrate the storage location of the credentials for the user if they already have them cached.

Ziming Dong
April 12, 2018, 10:15 PM


In the case of a shared cache folder, I would not want to perform migration since it may contain stored credentials to which the current user should not have access.

Here is what I can do:
1. If the cache location is same as the default location defined in our code, migrate the credentials.
2. Always delete the old .session file regardless of the cache's location.

Users that use a shared cache directory will still have to reenter passwords but hopefully covers the use case for most users.

Larsson Omberg
April 13, 2018, 4:46 AM

That sounds good.

Ziming Dong
April 13, 2018, 8:14 PM

Migration of credentials has been added to the develop branch

Assignee

Ziming Dong

Reporter

Larsson Omberg

Labels

None

Validator

Larsson Omberg

Development Area

None

Release Version History

None

Fix versions

Priority

Critical
Configure