Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/tools
History
Mateusz Mandera 0c2cc41d2e CVE-2019-18933: Fix insecure account creation via social authentication. 
A bug in Zulip's new user signup process meant that users who
registered their account using social authentication (e.g. GitHub or
Google SSO) in an organization that also allows password
authentication could have their personal API key stolen by an
unprivileged attacker, allowing nearly full access to the user's
account.

Zulip versions between 1.7.0 and 2.0.6 were affected.

This commit fixes the original bug and also contains a database
migration to fix any users with corrupt `password` fields in the
database as a result of the bug.

Out of an abundance of caution (and to protect the users of any
installations that delay applying this commit), the migration also
resets the API keys of any users where Zulip's logs cannot prove the
user's API key was not previously stolen via this bug.  Resetting
those API keys will be inconvenient for users:

* Users of the Zulip mobile and terminal apps whose API keys are reset
  will be logged out and need to login again.
* Users using their personal API keys for any other reason will need
  to re-fetch their personal API key.

We discovered this bug internally and don't believe it was disclosed
prior to our publishing it through this commit.  Because the algorithm
for determining which users might have been affected is very
conservative, many users who were never at risk will have their API
keys reset by this migration.

To avoid this on self-hosted installations that have always used
e.g. LDAP authentication, we skip resetting API keys on installations
that don't have password authentication enabled.  System
administrators on installations that used to have email authentication
enabled, but no longer do, should temporarily enable EmailAuthBackend
before applying this migration.

The migration also records which users had their passwords or API keys
reset in the usual RealmAuditLog table.
 		2019-11-21 10:23:37 -08:00
..
ci mypy: Remove daemon mode. 2019-08-25 15:04:12 -07:00
circleci requirements: Remove django-pipeline. 2019-07-24 17:40:31 -07:00
documentation_crawler docs: Deal with a few broken links. 2019-10-15 14:03:53 -07:00
droplets droplets: Update snapshot id. 2019-06-14 15:49:56 -07:00
i18n mypy: Upgrade from 0.720 to 0.730. 2019-11-13 12:38:45 -08:00
lib scripts: Move inline-email-css from tools to scripts. 2019-11-15 17:39:42 -08:00
linter_lib CVE-2019-18933: Fix insecure account creation via social authentication. 2019-11-21 10:23:37 -08:00
setup install-shellcheck: Upgrade ShellCheck from 0.6.0 to 0.7.0. 2019-11-11 16:26:31 -08:00
test-install test-install: Add bionic. 2019-08-09 16:27:03 -07:00
tests cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
zulip-export python: Migrate open statements to use with. 2019-07-20 15:48:52 -07:00
README.md cleanup: Delete trailing newlines. 2019-08-06 23:29:11 -07:00
__init__.py
build-docs build-docs: Fix shellcheck warnings. 2018-10-17 17:38:56 -07:00
build-release-tarball build-release-tarball: Run with zulip-py-venv symlink present. 2019-07-21 18:43:52 -07:00
cache-zulip-git-version version: Only let `git describe` match tags beginning with a digit. 2019-10-24 14:54:45 -07:00
check-capitalization i18n: Move static/locale back to locale. 2019-07-02 14:57:55 -07:00
check-frontend-i18n i18n: Move static/locale back to locale. 2019-07-02 14:57:55 -07:00
check-issue-labels lint: Fix code that evaded our lint checks for string % non-tuple. 2019-04-23 15:21:37 -07:00
check-openapi tools: Fix running check-openapi locally. 2019-08-07 14:18:27 -07:00
check-provision tools: Extract get_provisioning_status check logic. 2019-06-23 21:55:02 -07:00
check-templates linter_lib: Fix mypy errors. 2019-08-09 17:22:45 -07:00
clean-branches clean-branches: Fix shellcheck warnings. 2018-10-17 17:38:56 -07:00
clean-repo
commit-message-lint Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
commit-msg Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
conf.ini-template
coveragerc request: Tighten type checking on REQ. 2019-11-13 12:35:55 -08:00
create-test-api-docs tools: Remove unused imports. 2019-02-02 17:10:31 -08:00
deploy-branch Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
diagnose typing: Remove now-unnecessary conditional import. 2019-07-29 15:18:22 -07:00
django-template-graph django-template-graph: Fix shellcheck warnings. 2018-10-17 17:38:56 -07:00
do-destroy-rebuild-database flush-memcached: Respect MEMCACHED_LOCATION; handle errors. 2019-10-01 16:05:55 -07:00
do-destroy-rebuild-test-database do-destroy-rebuild-test-database: Fix shellcheck warnings. 2018-08-03 09:15:26 -07:00
documentation.vnufilter test-documentation: Validate HTML with vnu.jar. 2019-06-27 14:53:21 -07:00
fetch-pull-request Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
fetch-rebase-pull-request Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
find-add-class tools: Remove unused imports. 2019-02-02 17:10:31 -08:00
find-unused-css Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
get-handlebar-vars python: Migrate open statements to use with. 2019-07-20 15:48:52 -07:00
html-grep templates: Rename *.handlebars ↦ *.hbs and - ↦ _. 2019-07-12 21:11:03 -07:00
js-dep-visualizer.py tools: Add TypeScript to the dependency visualizer. 2019-04-12 11:14:42 -07:00
lint lint: Run mypy with --no-error-summary. 2019-11-13 13:26:02 -08:00
pre-commit lint: Add --skip arg to replace --no-gitlint/mypy. 2019-06-18 11:32:04 -07:00
pretty-print-html python: Migrate open statements to use with. 2019-07-20 15:48:52 -07:00
provision install, provision: Treat all nonzero exit codes as failure, not just 1. 2019-07-19 11:22:11 -07:00
push-to-pull-request Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
release-tarball-exclude.txt tests: Move zerver/fixtures to zerver/tests/fixtures for clarity. 2018-04-19 21:50:17 -07:00
renumber-migrations tools: Only files starting with same migration number conflict. 2018-07-10 21:09:34 +05:30
replacer zulint: Move lister.py to tools/zulint. 2018-08-04 19:53:53 -07:00
reset-to-pull-request Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
review tools/review: Don’t pretend to emulate shell=True either. 2018-07-30 22:39:08 -07:00
run-dev.py run-dev: Set HTTP header to show we're proxing from port 9991. 2019-10-08 17:53:09 -07:00
run-mypy lint: Run mypy with --no-error-summary. 2019-11-13 13:26:02 -08:00
run-tsc tsconfig: Move to top level. 2019-11-04 18:12:11 -08:00
run-yarn-deduplicate yarn.lock: Share duplicate packages with yarn-deduplicate. 2019-09-02 19:30:09 -07:00
setup-git-repo Use #!/usr/bin/env for bash shebangs. 2018-12-17 17:21:08 -08:00
show-profile-results mypy: Remove ignores for a few typeshed bugs fixed upstream. 2017-10-27 17:09:00 -07:00
stop-run-dev
test-all lint: Use --groups to specify specific groups to run. 2019-06-23 22:23:15 -07:00
test-api tests: Use admin client for curl examples test. 2019-11-15 15:53:31 -08:00
test-backend test-backend, run-casper: Remove proxy vars instead of setting to "". 2019-10-28 15:47:45 -07:00
test-documentation test-documentation: Validate HTML with vnu.jar. 2019-06-27 14:53:21 -07:00
test-emoji-name-scripts test-emoji-name-scripts: Avoid hardcoded paths in /var/tmp. 2019-01-15 16:05:50 -08:00
test-help-documentation test-help-documentation: Bind vnu.jar to 127.0.0.1. 2019-06-28 18:18:29 -07:00
test-js-with-casper
test-js-with-node shared: Set up a way to share some frontend code with the mobile app. 2019-10-17 16:48:23 -07:00
test-locked-requirements test-locked-requirements: Improve logged output. 2019-08-25 15:03:20 -07:00
test-migrations requirements: Upgrade django-otp from 0.5.2 to 0.6.0. 2019-07-07 22:28:54 -07:00
test-queue-worker-reload mypy: Upgrade from 0.720 to 0.730. 2019-11-13 12:38:45 -08:00
test-run-dev mypy: Upgrade from 0.720 to 0.730. 2019-11-13 12:38:45 -08:00
test-tools tools: Revert to Python 2 typing syntax for now. 2017-12-13 10:38:15 -08:00
update-authors-json update-authors-json: Clean up type ignores. 2019-08-09 16:39:16 -07:00
update-locked-requirements requirements: Add back future. 2019-10-11 14:04:35 -07:00
update-prod-static scripts: Move inline-email-css from tools to scripts. 2019-11-15 17:39:42 -08:00
update-zuliprc-api-field tools: Add tool to update API field of local zuliprc file. 2019-07-17 16:00:21 -07:00
webpack webpack: Enable code splitting and deduplication. 2019-10-28 15:53:15 -07:00
webpack-helpers.ts js: Automatically convert var to let and const in more files. 2019-11-20 14:10:47 -08:00
webpack.assets.json bundles: Factor out portico bundle. 2019-10-28 15:53:15 -07:00
webpack.config.ts js: Automatically convert var to let and const in more files. 2019-11-20 14:10:47 -08:00
zanitizer docs: Avoid hardcoded /tmp paths in miscellaneous documentation. 2019-01-15 16:16:12 -08:00
zanitizer_config.pm.sample zanitizer_config.pm.sample: keep_file → scrub_filename 2018-09-23 20:42:27 -07:00

README.md

This directory contains scripts that are used in building, managing, testing, and other forms of work in a Zulip development environment. Note that tools that are also useful in production belong in scripts/ or should be Django management commands.

For more details, see https://zulip.readthedocs.io/en/latest/overview/directory-structure.html.