Security of a self-updating web app
https://stackoverflow.com/questions/4981172
-
12-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What are the security concerns of the following scenario? (this is one of those crazy ideas that someone will try, and maybe a it's a good idea, and maybe it's a terrible idea...)
You have Rails app at example.com, and an action at https://example.com/admin/update_app
This action has the following requirements:
- It requires https (and redirects if not on https)
- It requires admin access
- The action displays a page with a form that says "Repository password: [ ]"
- This field is filtered out of the server logs, the same way that authentication to the site is filtered out, via the log filtering mechanism in Rails (i.e. this method)
This action does the following
- You put your code repository password in the field and hit "Submit"
- The action starts a shell script which pulls the latest updates from the stable branch of your code repository, and applies them to the site (unless repository authentication fails, in which case it stops all further steps)
- The web server is restarted
- An email is sent to the admin saying something simple like, "App update complete"
Solution
Don't send the password. The app could be compromised and trojaned or the filtering could fail. Instead, grant the web app read-only access to the repository via a separate account or public access.
Don't restart the server if there are no changes. Then the action is secure even without access control: unless the developer has authorized the update by updating the stable branch, nothing happens. If the stable branch is not so stable, create a separate production branch for this.
Stop the webserver before doing the update. The app might not be secure or safe to use as a mix of files from different versions.
Make sure the web server doesn't serve any metadata files left by the VCS.
OTHER TIPS
Well, this all remind me re-invented capistrano deploy on server through git repository.
Only problem that: 1) what if it will be conflicts during merge(point 2)? 2) what if webserver will not restart correctly(point 3)? 3) What if branch in your repository is not so stable(point 2)?
