Notice for authorized access to redacted files#19
Conversation
|
Thanks for the PR! Let me think about it for just a bit. There's intentionally little information in the message today because I didn't want to provide recon data to threat actors. Example Scenario: A threat actor compromises an SSO account. If the links are public and documented in the files, it'd make it easier for them to discover those and start abusing them. But of course if they have access to an SSO account they may still be able to get at internal docs and find it... but still the chances of them finding it are lower than if it's advertised. Anywho, just thinking it through a bit. Question: Would it have been easier to find if it was well documented in the platforms internal docs? |
I definitely agree that hiding this link will make life harder for a privileged enough attacker
I would wager the vast majority of legitimate users would see the artifact has been redacted and wouldn't even imagine the possibility that someone has gone through the effort to set up a system that makes the data available to them regardless, let alone think to look in "the" docs. Quotes because - which platform? which docs? After all this is just a link they followed from their PR, they don't know much about anything. In my opinion the damage done to productivity from dead ends like this is way too great* to ignore. We need to leave some sort of trail from the redaction to the artifact. *especially considering we censor entire archives when they contain a single piece of secret information. Archives which contain crucial data (as well as some unknown secret). As a user you feel really hopeless left to guess which part of the archive is making the other data you actually care about right now to disappear... Maybe something less direct than a link?
|
Yeah I think this strikes a good middle ground. And I like the idea of having a "reach out to" type message to point people in the right direction. For this MR, do you want to make the whole notice configurable via a And then on the internal deploy of this we can tweak the notice to point someone in the right direction without just completely handing them what they need to get the file. |
In Red Hat's OCP Prow CI I saw that we can still access redacted artifacts at an internal service. I was not aware of this for months until someone told me. It would be nice if users were informed of this instead of reaching a "redacted" dead-end where they expected to see their artifacts. Deployments can now set `LEAKTK_GCS_FILTER_REDACTOR_QUARANTINE_NOTICE` to a custom message that will be written to redacted files instead of the default notice. This allows users to be informed of how to access redacted files instead of reaching a dead-end. For example, in Red Hat this message could tell them to reach out to the security team or point them to internal documentation.
omertuc
changed the title
|
Alright, sorry for the delay. Updated PR with what we agreed on |
2 participants
See commit message for more info