wiki:SecurityAlert090b4

Problem

The Buildbot WWW service publishes most of c['www'] to the web frontend so that it can use that data for configuration. Unfortunately, when hooks are configured, that data may contain secrets for those hooks.

The data is contained in the HTML document fetched from the root of the service. For example:

dustin@hopper ~ $ curl nine.buildbot.net
...{"authz": {}, "avatar_methods": {"name": "gravatar"}, "titleURL": "http://buildbot.net/", "versions": [ ["Python", "2.7.10"], ["Buildbot", "0.9.0b4"], ["Twisted", "15.4.0"] ], "title": "Buildbot", "logfileName": "http.log", "user": {"anonymous": true}, "plugins": {"waterfall_view": {}}, "buildbotURL": "http://nine.buildbot.net/", "multiMaster": false, "auth": {"name": "NoAuth"}, "port": "tcp:8010:interface=192.168.80.244"}...

The immediate solution is to omit the change_hook_dialects key, preventing the disclosure of this key - see https://github.com/buildbot/buildbot/pull/1891. The longer-term fix is to whitelist the configuration keys published - see #3374.

Recommended Fix

Buildbot-0.9.0b5 contains the fix in pull request 1891. All users who have deployed a 0.9.0 beta with web hooks containing secrets are encouraged to update and to rotate their secrets. Packages are available at

Credit

Pieter Lexis discovered this bug and reported it per the Security process.

Last modified 2 years ago Last modified on Oct 22, 2015, 1:23:09 PM