Skip to content

Vulnerability: any application have access to change IPFS settings #7406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost opened this issue Jun 3, 2020 · 6 comments
Closed

Vulnerability: any application have access to change IPFS settings #7406

ghost opened this issue Jun 3, 2020 · 6 comments
Labels
kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization

Comments

@ghost
Copy link

ghost commented Jun 3, 2020
edited by ghost
Loading

Version information:

go-ipfs v0.5.1

Description:

I found serious vulnerability: any application and any user have access to change IPFS settings through the API.

Hope you fix it.
@ghost ghost added kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization labels Jun 3, 2020
@welcome
Copy link

welcome bot commented Jun 3, 2020

Thank you for submitting your first issue to this repository! A maintainer will be here shortly to triage and review.
In the meantime, please double-check that you have provided all the necessary information to make this process easy! Any information that can help save additional round trips is useful! We currently aim to give initial feedback within two business days. If this does not happen, feel free to leave a comment.
Please keep an eye on how this issue will be labeled, as labels give an overview of priorities, assignments and additional actions requested by the maintainers:

  • "Priority" labels will show how urgent this is for the team.
  • "Status" labels will show if this is ready to be worked on, blocked, or in progress.
  • "Need" labels will indicate if additional input or analysis is required.

Finally, remember to use https://discuss.ipfs.io if you just need general support.

@Stebalien
Copy link
Member

Stebalien commented Jun 3, 2020
edited
Loading

On localhost, via an origin restricted API, yes. Along with other commands like ipfs pin rm, ipfs block rm, etc.

Are you're running on a shared environment?

@rpodgorny
Copy link

(i'm not the original poster)

i think this needs to be (partially) redesigned in general. most modern operating systems are multi-user and while sharing block data may not be a security/privacy issue, sharing the mfs state certainly is.

@Stebalien
Copy link
Member

Yeah, this definitely needs to be redesigned. Long discussion here: #1014. Also, #1532.

The short-term version is to have per-user daemons on separate ports with separate tokens.

@ghost ghost closed this as completed Jun 6, 2020
@RubenKelevra
Copy link
Contributor

Well, as a workaround you can just unix sockets to restrict the API access to certain users on a machine. :)

@polymorphm
Copy link

polymorphm commented May 9, 2021
edited
Loading

actually it's not closed.

please, do api as a unix-socket by default (while a config is being generated).

it's a vulnerability-issue . so safety must be by default

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Stebalien @polymorphm @RubenKelevra @rpodgorny