Hi Ido,

Thanks for the feedback.  Replies below.

On Nov 5, 2013, at 9:54 AM, Ido Tamir wrote:

> This seems to happen often e.g. 
> http://wiki.galaxyproject.org/DevNewsBriefs/2012_10_23#Compute_Tool_Security_Fix

I'm not sure I'd agree that it's often - we've had 4 or 5 vulnerabilities over 
the life of the project.  2 allowed arbitrary code execution, the others were 
less severe.

> a) are there general guidelines in the wiki on how to avoid these problems 
> when creating tools?

The guidelines for writing a Galaxy tool are no different from best practices 
for writing secure code.  In specific for this vulnerability, execution of user 
input should be handled with extreme care, and this tool had some gaps in its 
input validation and sanitization.  For what it's worth, the filter tool (on 
which the other vulnerable tools were based) is one of the few tools surviving 
from the very early days of Galaxy, and would not be implemented the same way 
if written today.

> b) is there a way to check automatically if all input fields are correctly 
> escaped in a tool?

I am not sure how Galaxy could do this.  Galaxy sanitizes the command line so 
that input fields passed to a tool as command line arguments cannot be crafted 
to exploit the shell's parsing rules.  What the tool itself does with its 
inputs are out of Galaxy's control.

--nate

> 
> A search for security in the wiki brings up:
>       • Admin/Data Libraries/Library Security
> 0.0k - rev: 1 (current) last modified: 2013-01-02 23:54:33
>       • Admin/DataLibraries/LibrarySecurity
> 19.2k - rev: 4 (current) last modified: 2013-01-03 00:12:36
>       • HelpOnConfiguration/SecurityPolicy
> 1.9k - rev: 1 (current) last modified: 0
>       • Learn/Security Features
> 7.0k - rev: 3 (current) last modified: 2011-09-13 16:52:08
>       • News/2013_04_08_Galaxy_Security_Release
> 1.3k - rev: 3 (current) last modified: 2013-04-08 16:56:41
> 
> "escape" does not bring up anything.
> 
> thank you very much,
> ido
> 
> 
> On Nov 5, 2013, at 12:45 AM, Nate Coraor <n...@bx.psu.edu> wrote:
> 
>> A security vulnerability was recently discovered by John Chilton with 
>> Galaxy's "Filter data on any column using simple expressions" and "Filter on 
>> ambiguities in polymorphism datasets" tools that can allow for arbitrary 
>> execution of code on the command line.
>> 
>> The fix for these tools has been committed to the Galaxy source.  The timing 
>> of this commit coincides with the next Galaxy stable release (which has also 
>> been pushed out today).
>> 
>> To apply the fix and simultaneously update to the new Galaxy stable release, 
>> ensure you are on the stable branch and upgrade to the latest changeset:
>> 
>> % hg branch
>> stable
>> 
>> % hg pull -u
>> 
>> For Galaxy installations that administrators are not yet ready to upgrade to 
>> the latest release, there are three workarounds.
>> 
>> First, for Galaxy installations running on a relatively new version of the 
>> stable release (e.g. release_2013.08.12), Galaxy can be updated to the 
>> specific changeset that that contains the fix.  This will include all of the 
>> stable (non-feature) commits that have been accumulated since the 8/12 
>> release plus any new features included with (and prior to) the 8/12 release, 
>> but without all of the new features included in the 11/4 release.  Ensure 
>> you are on the stable branch and then upgrade to the specific changeset:
>> 
>> % hg pull -u -r e094c73fed4d
>> 
>> Second, the patch can be downloaded and applied manually:
>> 
>> % wget -o security.patch 
>> https://bitbucket.org/galaxy/galaxy-central/commits/e094c73fed4dc66b589932edb83412cb8b827cd3raw/
>> 
>> and then:
>> 
>> % hg patch security.patch
>> 
>> or:
>> 
>> % patch -p1 < security.patch
>> 
>> Third, the tools can be completely disabled by removing them from the tool 
>> configuration file (by default, tool_conf.xml) and restarting all Galaxy 
>> server processes.  The relevant lines in tool_conf.xml are:
>> 
>>  <tool file="stats/dna_filtering.xml" />
>>  <tool file="stats/filtering.xml" />
>> 
>> The full 11/4 Galaxy Distribution News Brief will be available later today 
>> and will contain details of changes since the last release.
>> 
>> --nate
>> Galaxy Team
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>> http://lists.bx.psu.edu/
>> 
>> To search Galaxy mailing lists use the unified search at:
>> http://galaxyproject.org/search/mailinglists/
> 
> 


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to