> I found a massive security concern I still haven't heard of a single path for exploit, but ok... everyone will remain with his own convinctions
Thanks for your patience too 2015-05-05 17:09 GMT+02:00 Jan Lehnardt <[email protected]>: > > > On 05 May 2015, at 16:36, Giovanni Lenzi <[email protected]> wrote: > > > >> otherwise, again, the system is insecure (I helped build it that way). > > To tell the truth, with handlers renaming or as soon as an attacker > doesn't > > know your db name, the system can still be secured withouth any proxy. > However, > > if proxy is really a concern, a fix to use CouchDB only, could eventually > > be creating a new "default _rewrite path" parameter within couchdb > > configuration, to be used as "default path" in case of request without or > > with an incorrect "Host Header" > > > > Jan, trust me... All I'm doing here is to bring help with marketing, > > tutorials and CouchDB improvements... I hope this can be recognized > > No worries, I 100% recognise your efforts. > > Thank you for being patient with me. > > My only concern was with understanding how your particular flavour of > CouchApp > works and I think I found a massive security concern. That’s why I won’t be > advocating for this particular solution (not saying it can’t be, but it > isn’t > today). > > With that out of the way, let’s get back to the story part of this > discussion. > > Thanks > Jan > -- > > > > > > > > 2015-05-05 15:57 GMT+02:00 Jan Lehnardt <[email protected]>: > > > >> > >>> On 05 May 2015, at 15:50, Giovanni Lenzi <[email protected]> > wrote: > >>> > >>>> CouchDB has no way of blocking requests to _changes that have no > filter > >>> parameter > >>> Why? _rewrite handler is used to allow only requests complying with > your > >>> api, and therefore preventing requests to changes withouth a filter. > You > >>> can have a look to rewrites.json file for this. > >>> > >>> I agree proxy is a best practice as a load balancer and to forward only > >>> requests to allowed vhosts, like Smileupps, Iriscouch or Cloudant all > are > >>> doing, even if it's not strictly mandatory for security. > >>> > >>> Anyway, I was not interested here, in raising this kind of technical > >>> discussion. My starting e-mail only wanted to be constructive, by > >> proposing > >>> a way to push content around CouchDB and Couchapps, to help everyone > >>> understand what they really can and cannot do. > >> > >> I’m sorry to derail this, but I want to make sure I understand your > system > >> before I can argue for or against your claims :) > >> > >> Your point that CouchApps can be a platform is well taken, thank you for > >> that! > >> > >> You equally can’t force a client to use a _request handler, only if you > >> block requests without a Host: header in a proxy in front of CouchDB, > >> otherwise, again, the system is insecure (I helped build it that way). > >> > >> Best > >> Jan > >> -- > >> > >> > >>> > >>> > >>> 2015-05-05 15:21 GMT+02:00 Jan Lehnardt <[email protected]>: > >>> > >>>> > >>>>> On 05 May 2015, at 15:14, Giovanni Lenzi <[email protected]> > >> wrote: > >>>>> > >>>>>> That happens in a proxy outside of CouchDB then? > >>>>> > >>>>> No, it happens in the changes filter of the design document. > >>>> > >>>> You cannot force a client to use a filter. CouchDB has no way of > >> blocking > >>>> requests to _changes that have no filter parameter. If you are not > doing > >>>> that in a proxy, your system is not secure. > >>>> > >>>> Best > >>>> Jan > >>>> -- > >>>> Professional Support for Apache CouchDB: > >>>> http://www.neighbourhood.ie/couchdb-support/ > >>>> > >>>> > >> > >> -- > >> Professional Support for Apache CouchDB: > >> http://www.neighbourhood.ie/couchdb-support/ > >> > >> > > -- > Professional Support for Apache CouchDB: > http://www.neighbourhood.ie/couchdb-support/ > >
