自更新网络应用程序的安全性
以下场景的安全问题是什么? (这是有人会尝试的疯狂想法之一,也许这是一个好主意,也许这是一个糟糕的主意......)
您在 example.com 上有 Rails 应用程序,在 https://example.com/admin/update_app
此操作具有以下要求:
- 它需要 https(如果不在 https 上则重定向)
- 它需要管理员访问权限
- 该操作会显示一个带有“存储库密码:[]”表单的页面,
- 该字段将从服务器日志中过滤出来,就像通过 Rails 中的日志过滤机制过滤掉站点身份验证一样(即此方法)
此操作执行 该操作将启动一个 shell 脚本,该脚本从代码存储库的稳定分支中提取最新更新,
- 您将代码存储库密码输入字段并点击“提交”
- 并将它们应用到站点(除非存储库身份验证失败,在这种情况下它会停止所有进一步的步骤)
- 网络服务器重新启动
- 一封电子邮件发送给管理员,内容很简单,例如“应用程序更新完成”
What are the security concerns of the following scenario? (this is one of those crazy ideas that someone will try, and maybe a it's a good idea, and maybe it's a terrible idea...)
You have Rails app at example.com, and an action at https://example.com/admin/update_app
This action has the following requirements:
- It requires https (and redirects if not on https)
- It requires admin access
- The action displays a page with a form that says "Repository password: [ ]"
- This field is filtered out of the server logs, the same way that authentication to the site is filtered out, via the log filtering mechanism in Rails (i.e. this method)
This action does the following
- You put your code repository password in the field and hit "Submit"
- The action starts a shell script which pulls the latest updates from the stable branch of your code repository, and applies them to the site (unless repository authentication fails, in which case it stops all further steps)
- The web server is restarted
- An email is sent to the admin saying something simple like, "App update complete"
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不要发送密码。该应用程序可能会受到损害并被木马感染,或者过滤可能会失败。相反,通过单独的帐户或公共访问权限授予 Web 应用程序对存储库的只读访问权限。
如果没有更改,请不要重新启动服务器。这样,即使没有访问控制,该操作也是安全的:除非开发人员通过更新稳定分支来授权更新,否则不会发生任何情况。如果稳定分支不太稳定,请为此创建一个单独的生产分支。
在进行更新之前停止网络服务器。该应用程序作为不同版本的文件的混合使用可能不安全。
确保 Web 服务器不提供 VCS 留下的任何元数据文件。
Don't send the password. The app could be compromised and trojaned or the filtering could fail. Instead, grant the web app read-only access to the repository via a separate account or public access.
Don't restart the server if there are no changes. Then the action is secure even without access control: unless the developer has authorized the update by updating the stable branch, nothing happens. If the stable branch is not so stable, create a separate production branch for this.
Stop the webserver before doing the update. The app might not be secure or safe to use as a mix of files from different versions.
Make sure the web server doesn't serve any metadata files left by the VCS.
好吧,这一切都提醒我重新发明了 capistrano 通过 git 存储库部署在服务器上。
唯一的问题是:
1)如果合并时发生冲突怎么办(第2点)?
2)如果网络服务器无法正确重启怎么办(第3点)?
3)如果你的存储库中的分支不太稳定怎么办(第2点)?
Well, this all remind me re-invented capistrano deploy on server through git repository.
Only problem that:
1) what if it will be conflicts during merge(point 2)?
2) what if webserver will not restart correctly(point 3)?
3) What if branch in your repository is not so stable(point 2)?