New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strip Admin Users In Development DB Dump #309

Merged
merged 2 commits into from Sep 19, 2017

Conversation

Projects
None yet
3 participants
@mpchadwick
Contributor

mpchadwick commented Sep 19, 2017

Magerun pull-request check-list:

  • Pull request against develop branch (if not, just close and create a new one against it)
  • README.md reflects changes (if any)

Subject: Strip Admin Users In Development DB Dump

For security purposes, it's better to strip admin* and authorization* when dumping a production database for non-production use. For example, the production database could be restored to staging with production admin user data. The staging environment may not have the same level of security as production (e.g. default admin route, not rate limiting brute force password guessing). An attacker could leverage the staging environment to identify production user credentials and then use them to obtain access to the production system.

Changes proposed in this pull request:

  • admin* and authorization* are stripped when running a development db dump

If the maintainers agree with this change, I can additionally issue a pull request to n98-magerun.

@cmuench cmuench merged commit 69f3445 into netz98:develop Sep 19, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@cmuench

This comment has been minimized.

Member

cmuench commented Sep 19, 2017

Thanks

@mpchadwick mpchadwick referenced this pull request Sep 20, 2017

Merged

Feature/strip admin #946

2 of 2 tasks complete

@ktomk ktomk added the enhancement label Sep 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment