Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Prevent the update of the portus user #1896
This pull request introduces two commits that prevents someone from updating the portus hidden user. This user is not to be used externally (i.e. it's not an explicit admin), but it's used internally for requests performed against the registry. That being said, if an attacker has access to the email being set for this hidden user, then it may be able to reset the password and use it externally too. This is now mitigated:
Thanks @kiorky for noticing this bug
To be done
referenced this pull request
Jul 23, 2018
This is done at the model level, so regardless on whether it was attempted from a controller or the api, the same validation error will be raised. In the case of the API, if they try to do this, they will get a 422 (general validation error), which is fine.
We should be able to reset the password via the API, in case for exemple of resetting manually via irb, this kind of code was what i used actually:
BUT, i saw also the introduction of the initializer in the PR.
In this case, then, so far so good, as we have a way to reset that so particular user password and the rest of the workflow protect access to that user
I disagree: if this password is only set as a secret, it should be kept this way. If we introduce multiple ways of providing the same thing, it will be confusing and lead to possible future bugs. So, let's keep this simple: it can only be provided as a secret.
Exactly. So in Rails initializers are always executed when starting the application. In this case, it will set the password as defined by the secret on start. So, if you want to reset the modification you just did with IRB, simply restart Portus and it will set back your defined secret