Keystone-classic: Reporting serval Security issues

If no one gets back to you, could you please get in touch with Thinkmill: https://www.thinkmill.com.au/

They are the company that is behind Keystone.

Yes. This should NOT be ignored. And a big thanks in advance for creating and preparing a report! thumbsup

Thank you for all your support. We have the report ready, but we are unable to find the responsible person email address. I'm looking into the https://www.thinkmill.com.au/ website, I do not find any security issues reporting email address

@JedWatson @jstockwin

This needs to get to Jed, who is very busy at the moment - see this issue. Hopefully he'll get round to this when things are back on track.

Thanks for the bump, I've been in touch with @securelayer7 and am sorting out a secure email address for keystone so we can get the report. Just wanted to let everyone know that this is now underway.

Hi all,

We have reported the vulnerabilities to the @JedWatson and now we are waiting for his reply.

Thanks

Any updates?

So far no update from the @JedWatson. We are still waiting for the reply and patches. If the vulnerability is patched then we will be forced to make public available, so you can prepare own patches.

Thanks

@sandeepl337 we've asked @molomby to take over investigating this from Jed. Assuming Jed has your contact details, I'll make sure molomby gets them tomorrow.

Hi @securelayer7 and @sandeepl337, @JedWatson's passed your report on to me and I've been working to verify and patch the issues.

This has also started a separate conversation about how Keystone as a project can better accept and respond to security reports. The lack of clear reporting guidelines, contact details, etc. has clearly hindered the process.

We do really appreciate the effort you've put in, both to find these issues and bring them to our attention. I'll update this thread as things progress.

@molomby Thank you for the response. It would be good for security researcher to report the vulnerabilities. This would be good initiative and If you face any difficulty for read the report then let me know I'll make sure you will understand the context of the vulnerability. Once you patch let me know Github updated link for the verification of patched code.

thanks

Besides, the documentation should have a separate section for server adminstrator to follow best practices to secure keyatone apps. It should address particularly keystone specific vulnerabilities.

Sorry to be a pain, but can we get more information on the severity of these issues (without releasing too much information before a patch is released)? I'm currently running multiple instances of keystone for clients and need to know how I can better protect their apps. Thanks.

@jjmpsp do you want the changes in the report ?

I just spent several hours with @molomby reviewing fixes that have been prepared for the issues @sandeepl337 reported. They are nearly ready to be released.

Our current plan is to publish two new betas later this week - one including only the patches for the security issues (so there is as small a barrier to updating as possible) and another rolling up all changes since the last beta release on master including the fixes.

We'll then publish the information from the report after a delay (probably ~4 weeks), to explain what was addressed after everybody has had a chance to upgrade.

It's challenging safely addressing vulnerabilities in open source projects, so this is our plan but if anybody has something better to propose please let us know.

This sounds promising once you make the patch and before releasing let us know for re-testing of the fixed vulnerabilities.

Thanks

Will do, thanks @sandeepl337!

Sorry @jjmpsp, we don't want to release any info before fixes are available but I'll ping you when they are.

As @JedWatson mentioned, the next release will contain only security fixes so should be an easy upgrade from the current v4.0.0-beta.5. If you want to prep before the update, my advice would be to test/update your apps against that version, so you can quickly switch to the forthcoming v4.0.0-beta.6.

We're on track to get the release out tomorrow afternoon AEST (UTC+11).

@securelayer7, @sandeepl337 -- I've shared a private repo with you guys containing fixes and will email you some details in a minute. It'd be fantastic if you could retest and OK the changes.

@JedWatson -- You'll need to publish the package when ready.

Thank you for making all the fixes. I'm looking for the code fixes.

Thanks

@molomby It would be great if you can share the fix links so that I can go through one by one.

Thanks

Thank you @molomby and @JedWatson for fixing the issue. If you need any information I'm happy to help you.

@molomby @JedWatson
Please take a look at https://snyk.io/test/github/keystonejs/keystone
I didn't go through all the issues listed there, but for example the project still references the affected version of qs (4.0.0).

@asliwinski Ok, thanks for the heads up, I'll check these out.

Any idea if this is resolved?