OpenRefine Vulnerabilities Question
269 views
Skip to first unread message
resear...@gmail.com
Nov 2, 2016, 6:50:53 PM11/2/16
to OpenRefine
Is anyone aware f any known vulnerabilities with OpenRefine?
Thad Guidry
Nov 3, 2016, 10:59:23 AM11/3/16
to OpenRefine
None that have been reported to us.
As with any locally installed software, your data is only secure as the level of paranoia and precautions you take with any other software. Firewalls, malware/virus, encryption, etc.
If you have concerns, or other questions surrounding security of your local data, we would be more than happy to answer them.
On Wed, Nov 2, 2016 at 5:50 PM <resear...@gmail.com> wrote:
Is anyone aware f any known vulnerabilities with OpenRefine?
--
You received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
David Leoni
Nov 5, 2016, 4:27:28 AM11/5/16
to OpenRefine
I thought about a couple of workarounds (but I'm no security expert):
- just disable Python scripting (easy, and you can still do more secure scripting with GREL)
- sandboxing Python (maybe hard, I've never done it)
Regards,
David
Tom Morris
Nov 5, 2016, 4:29:28 PM11/5/16
to openr...@googlegroups.com
I would hope that any discovered vulnerabilities would be reported to the developers first -- and we haven't heard of any.
The "issue" mentioned by David Leoni isn't actually an issue at all because the Refine server is started by the user who's accessing it, so has the same credentials and privileges that the user has. Any damage done using Refine could be done by the user using Python or any other tool that they invoke.
Tom
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+unsubscribe@googlegroups.com.
David Leoni
Nov 6, 2016, 3:55:08 AM11/6/16
to openr...@googlegroups.com, Tom Morris
On 11/05/2016 09:28 PM, Tom Morris
wrote:
The "issue" mentioned by David Leoni isn't actually an issue at all because the Refine server is started by the user who's accessing it, so has the same credentials and privileges that the user has. Any damage done using Refine could be done by the user using Python or any other tool that they invoke.
You describe the use case for which OpenRefine is advertised for, in
which I agree there is no issue.
Maybe I was not clear enough, I was referring to the use case when Refine is run in server mode and exposed to potentially untrusted users, who are different from the one who started the process. I know it is not a supported use case, nonetheless some people run Refine this way.
In this case, it is the responsibility of the system administrator to ensure Refine is exposed only to the intended audience, and that such audience can't misuse Refine. Since Refine is a modular system, again it is the system administrator responsibility to look at each module and determine if they may pose a risk or not. The first misuse that comes to mind is trying to exploit the Jython module to run shell commands via Python scripting.
Regards,
David
Maybe I was not clear enough, I was referring to the use case when Refine is run in server mode and exposed to potentially untrusted users, who are different from the one who started the process. I know it is not a supported use case, nonetheless some people run Refine this way.
In this case, it is the responsibility of the system administrator to ensure Refine is exposed only to the intended audience, and that such audience can't misuse Refine. Since Refine is a modular system, again it is the system administrator responsibility to look at each module and determine if they may pose a risk or not. The first misuse that comes to mind is trying to exploit the Jython module to run shell commands via Python scripting.
Regards,
David
Tom--
On Fri, Nov 4, 2016 at 1:54 PM, David Leoni <david.l...@gmail.com> wrote:
There is one obvious security issue. Since Refine allows users to execute unrestricted Python scripts via Jython for performing data transformations, a malicious user can easily run scripts of his choice, with the same OS privileges the process running Refine has. This is especially a problem when exposing Refine to users via web, which is not the main Refine user case, though.
I thought about a couple of workarounds (but I'm no security expert):- just disable Python scripting (easy, and you can still do more secure scripting with GREL)- sandboxing Python (maybe hard, I've never done it)
Regards,David
Il giorno giovedì 3 novembre 2016 15:59:23 UTC+1, Thad Guidry ha scritto:None that have been reported to us.
As with any locally installed software, your data is only secure as the level of paranoia and precautions you take with any other software. Firewalls, malware/virus, encryption, etc.
If you have concerns, or other questions surrounding security of your local data, we would be more than happy to answer them.
On Wed, Nov 2, 2016 at 5:50 PM <resear...@gmail.com> wrote:
Is anyone aware f any known vulnerabilities with OpenRefine?--
You received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to a topic in the Google Groups "OpenRefine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openrefine/ktOramKclsI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openrefine+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages