Add initial authentication support and simple default
Description
Environment
Attachments
Activity
Alex MillerJune 26, 2019 at 3:52 AM
All nrepl tickets closed, now managed at https://github.com/nrepl/nrepl
importMay 24, 2017 at 6:33 AM
Comment made by: rlb
I'm not sure what the library solution would look like, but fundamentally I think nrepl and the related ecosystem should be secure by default. If the JVM supported filesystem sockets, then a straightforward solution for platforms providing them would be a user-owned rw------- socket, but unfortunately that's not an option.
Regarding the current arrangement, I don't know of any precedent for providing passwordless shell access to user accounts as a default, and if if a tool like ssh or telnet were to do it, I'd be equally alarmed.
As it stands now, I think this command will probably destroy all the home directories of users running nrepl via lein or cider, on a machine where you can access localhost:
And if that's not sufficiently unnerving, all that's required to make it remotely exploitable is an appropriate bug in some other program running on the system, like a mail server, irc server, or perhaps a browser: http://seclists.org/oss-sec/2016/q4/100
In that case, Guile was affected by a similar issue, and while I think that particular exploit might not be able to target nrepl right now (as it can only send an http request, and the headers will probably choke nrepl before it reaches the dangerous body), it's not reasonable to assume that there will never be some other bug[1] in the browser or elsewhere that allows sending arbitrary bytes to a localhost port.
Coupled with the tendency for people to use sudo with a non-zero timeout, it might also provide a full system compromise to a patient, determined attacker.
Oh, and for what it's worth, I'm not at all attached to the particular solution suggested, but I do think this is a problem that should be solved.
[1] Or feature - I suspect people wouldn't normally assume that providing the ability to send bytes to a port on localhost might carry such a risk.
Chas EmerickMay 4, 2017 at 2:52 PM
When I was first creating nREPL, I heard many serious suggestions to have built-in security apparatuses (including authentication and evaluation soapboxes, among other things). All of them aimed to use the middleware mechanism (as it looks like you do here), which of course is a very open mechanism for extending nREPL servers in use in leiningen and other contexts.
The essential question is: why shouldn't these patches form the basis for a separate nREPL library? In that context, you'll be able to experiment and accommodate feedback much faster than if the same initial bits were landed here.
Details
Assignee
Chas EmerickChas EmerickReporter
importimportPatch
CodePriority
Major
Details
Details
Assignee
Chas EmerickReporter
importPatch
Priority
Major
The first of these two patches adds authentication to the server, and
the second trivially adjusts the message function to use it (as an
example).
I could easily imagine the current approach might not be acceptable,
but I'd be happy to try to make adjustments.
If this turns out to be interesting, then presumably tools like
leiningen and cider might want to provide more interesting strategies
via their own :auth-wrapper.
I haven't added automated tests for the authentication yet, but you can
run all of the existing tests like this:
NREPL_AUTH=none mvn package
and if we pursue the changes, I can see about adding authorization to
relevant parts of the test suite, if that's helpful.
If you'd like to try it out:
(umask 077 && dd bs=1 count=256 if=/dev/random | base64 > nrepl-token)
NREPL_AUTH=file:nrepl-token lein repl :headless
and then from another process in the same working directory:
(repl/message {:op :eval :code "(+ 1 1)" :auth (slurp "nrepl-token")})
(I also have a patch that adds NREPL_AUTH support to cider.)