GX-2017-0003: Unauthorized filesystem access via data source tools
A medium severity security vulnerability in tools utilizing the Galaxy data source protocol was recently discovered by Dan Blankenberg. This vulnerability allows anyone able to run an external data source tool to add to their history any file that is readable by the user running Galaxy jobs on the host where the job runs. This is due to the Python urllib library's ability to operate on `file://` URLs and a failure to check for such URLs in the tool.
This vulnerability has been assigned the disclosure ID GX-2017-0003.
This vulnerability affects all known versions of Galaxy.
Many such "external data source" tools are provided with the Galaxy distribution and are enabled by default (most tools under the "Get Data" section of the tool panel), meaning that its exploitability is fairly high, as only one such tool needs to be enabled to be vulnerable, including any custom data source tools (any tool that uses `tools/data_source/data_source.py`). What files will be readable depends entirely upon what the job's user has access to read on the host(s) where jobs run.
Per our security policies, we have created fixes for all affected versions of Galaxy. These have been committed to the corresponding `release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository.
Releases prior to 16.07 will remain vulnerable and should be updated to a supported release as soon as possible.
Eric Rasche recently undertook a hardening of the Galaxy code base against common security mishaps. This included changing most uses of `urllib` to `requests`, which does not operate on `file://` URLs. Although no exploits were identified at that time, we felt this work was of great enough importance to production Galaxy servers that we backported it to releases from 16.07 forward. Because of this, and the GX-2017-0001 and GX-2017-0002 vulnerabilities, administrators are strongly encouraged to update immediately, even if they do not believe their servers are vulnerable.
The fixes are available on the `release_16.07` through `release_17.09` and `dev` branches in the Galaxy GitHub repository. You can simply `git pull` or use your normal update procedure to get the changes.
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.