search

spyder-ide / spyder-terminal

Run system terminals inside Spyder. Works on Linux, macOS and Windows.
MIT License
230 stars 78 forks source link

Unsecured terminal access #320

Open izahn opened 2 years ago

izahn commented 2 years ago

Description of your problem

spyder-terminal runs an unsecured shell accessible to all users on the system, posing a huge security problem in multi-user environments.

What steps will reproduce the problem?

  1. Start spyder
  2. Use top or similar system monitor to identify the port that spyder_terminal.server is running on
  3. Open a web browser and navigate to localhost:<port> where <port> is the number identified in step 2

What is the expected output? What do you see instead?

I expect to see nothing, or at least be required to supply a password or token. Instead I immediately have full shell access through the web browser.

Please provide any additional information below

This might be OK on single-user systems, but in a HPC context where many users are logged in to the same computer it is a security disaster.

Versions and main components

ccordoba12 commented 2 years ago

Hey @izahn, thanks a lot for reporting this serious security problem, of which we were not fully aware. We discussed it with the team and concluded the fix is not simple.

However, we'll try to address it in the next couple of months due to its relevance.

izahn commented 2 years ago

Thanks guys, appreciate it!