Security Review of GCP Backend #3015

russjones · 2019-09-24T18:33:06Z

The new GCP backend introduced in #3014 needs a security review before cutting 4.2.

At the minimum session upload needs to be checked that it doesn't clobber an existing session recording.

awly · 2020-05-26T23:15:20Z

Notes from review:

session upload could indeed overwrite a previous upload
lib/backend/firestore key escaping could lead to data corruption by mapping different teleport keys to the same firestore documentIDs
some minor bugs like unhandled errors, possible nil pointer dereferences, missing connection/resource cleanup
some stylistic problems (that aren't bugs)

Sent #3766 to fix all found problems, except for stylistic ones.

russjones added this to the 4.2 "Alameda" milestone Sep 24, 2019

russjones self-assigned this Sep 24, 2019

benarent added the security Security Issues label Nov 1, 2019

klizhentas modified the milestones: 4.2 "Alameda", 4.3 "Concord" Nov 5, 2019

russjones modified the milestones: 4.3 Kaizen "Concord", 5.0 "Oceanside" Apr 14, 2020

benarent modified the milestones: 5.0 "Oceanside" , 5.1 "San Diego" Apr 14, 2020

awly self-assigned this May 14, 2020

awly modified the milestones: 5.1 "San Diego", 4.3 "Oceanside" May 14, 2020

awly mentioned this issue May 26, 2020

GCP backend cleanup and safety improvements #3766

Merged

awly closed this as completed in #3766 May 27, 2020

Provide feedback