search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.38k stars 13.6k forks source link

tandoor-recipes: Default storage configuration is prone to sqlite database leaks #338339

Open Scrumplex opened 2 weeks ago

Scrumplex commented 2 weeks ago

Describe the bug

Tandoor Recipes' (TR) default media folder as well as its working directory is at /var/lib/tandoor-recipes.[1][2] Unless a Postgres connection is configured, TR is going to create a SQLite 3 database in its working directory.[3] But as media is also stored in the same directory, most users are going to blindly expose that directory to the network using Nginx or even by setting GUNICORN_MEDIA=true. This means that without special care, users will expose their SQLite database to the network too.

Steps To Reproduce

{
  services.tandoor-recipes = {
    enable = true;
    port = 1234;
    extraConfig = {
      # Alternatively expose /var/lib/tandoor-recipes as recommended in TR's docs
      # See https://docs.tandoor.dev/install/manual/#nginx
      GUNICORN_MEDIA = true;
    };
  };
}
$ ls /var/lib/tandoor-recipes
db.sqlite3  tandoor-recipes-manage

$ curl --head http://localhost/media/db.sqlite3
HTTP/2 200 
content-disposition: inline; filename="db.sqlite3"
content-language: en
content-type: application/vnd.sqlite3
server: gunicorn
content-length: 1667072
...

Expected behavior

The database should not be stored in the same directory as media.

Screenshots

N/A

Additional context

This problem does not manifest itself, if TR is deployed with a Postgres database instead.

The upstream docker image seems to use a working directory separate from the media path.

Notify maintainers

@ambroisie

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.47, NixOS, 24.11 (Vicuna), 24.11.20240828.71e91c4`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Lix, like Nix) 2.91.0
System type: x86_64-linux
Additional system types: aarch64-linux, i686-linux
Features: gc, signed-caches
System configuration file: /etc/nix/nix.conf
User configuration files: /root/.config/nix/nix.conf:/etc/xdg/nix/nix.conf:/root/.nix-profile/etc/xdg/nix/nix.conf:/nix/profile/etc/xdg/nix/nix.conf:/root/.local/state/nix/profile/etc/xdg/nix/nix.conf:/etc/profiles/per-user/root/etc/xdg/nix/nix.conf:/nix/var/nix/profiles/default/etc/xdg/nix/nix.conf:/run/current-system/sw/etc/xdg/nix/nix.conf
Store directory: /nix/store
State directory: /nix/var/nix
Data directory: /nix/store/apms7kqjgl9lxb1gqmhj4kxcbvlnfg4w-lix-2.91.0/share`
 - channels(root): `"nixos-22.11, nixos-hardware"`
 - nixpkgs: `/etc/nix/channels/nixpkgs`

Add a :+1: reaction to issues you find important.

Scrumplex commented 2 weeks ago

A symptom of the same bug is that the tandoor-recipes-manage file can also be read. Now it shouldn't contain any secrets, as those would also be in the Nix store, but it might reveal some information about the deployment to an outsider.

I have found at least one public instance of tandoor where I could read the contents of tandoor-recipes-manage.

Most deployments use Postgres, so I couldn't find a public instance with the main issue

eclairevoyant commented 2 weeks ago

Is this an issue upstream as well? May want to report it there if so

ambroisie commented 2 weeks ago

@eclairevoyant quoting from "additional context":

The upstream docker image seems to use a working directory separate from the media path.

I can see why this is an insecure default, and hadn't thought about it. I fear the (obvious) fix would be a breaking change needing user intervention: have /var/lib/tandoor-recipes be the working directory and /var/lib/tandoor-recipes/media be the default media folder.