USH-001 -- Secure Credentials Leak

[willdoran]

Expected behaviour

• Never send OAuth 2.0 authentication headers to a third party. This undermines thewhole OAuth 2.0 concept of keeping tokens secure.

Actual behaviour

• Ushahidi.io sends information to third party Getsentry for stacktrace logging. This can be used to troubleshoot and resolve anyissues that users experience.

Implementation

Client

• Add sanitizeKeys configuration to ravenjs in platform client.
• Filter any fields matching Authorization, client, secret and password fields

API

• Add processorOptions config to sentry php to send data through Raven_Processor_SanitizeDataProcessor
• Filter any fields matching Authorization, client, secret and password fields
• Check for any other sensitive fields used in the API.

Acceptance criteria

• Configure you local API and client deployments to use platform staging app
• Trigger errors on the client and watch for sentry HTTP requests
• Check Sentry requests do not contain sensitive info
• Check Sentry dashboard and confirm logged errors do not contain sensitive info

NB: You may need to temporarily enable allowDuplicates and other similar config in client to more easily trigger requests to sentry.

This is set here:
https://github.com/ushahidi/platform-client/blob/develop/app/index.html#L130
and the reference for config is here:
https://github.com/getsentry/raven-js/blob/master/docs/config.rst

[rjmackay]

Not sure exactly how we do this. But perhaps the dataCallback option will allow it https://docs.sentry.io/clients/javascript/config/

[Angamanga]

@willdoran Is this part of the security-update for this cycle? Could you move to spec once you start speccing it?

[rjmackay]

I've added some spec details to implementation and acceptance criteria.
I believe Will already started work on this in Montreal. @willdoran what branch was your WIP one?

[kinstella]

Where this says 'Check for any other sensitive fields used in the API.', is the intent to filter those fields with processorOptions, as well?

[rjmackay]

Where this says 'Check for any other sensitive fields used in the API.', is the intent to filter those fields with processorOptions, as well?

Yes. I just didn't want to try to make an exhaustive list since by the time I've done that I might as well write the code at the same time

[willdoran]

@rjmackay This makes sense to me though I know what allowDuplicates means, just adding a note to the description

[rjmackay]

I just tested this on http://csvexportsforever.v3-qa.ush.zone and there's still some data leakage in the trace somewhere. I think the API side is fine, but client needs more checking :(