Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MB_JETTY_SKIP_SNI evaluating env variable as string instead of bool, always evaluating to truthy if set #42435

Open
likeshumidity opened this issue May 8, 2024 · 1 comment
Open

MB_JETTY_SKIP_SNI evaluating env variable as string instead of bool, always evaluating to truthy if set #42435

likeshumidity opened this issue May 8, 2024 · 1 comment
Labels
.Backend Operation/Environment variables Priority:P1 Security holes w/o exploit, crashing, setup/upgrade, login, broken common features, correctness .Team/AdminWebapp Admin and Webapp team Type:Bug Product defects

Comments

@likeshumidity
Copy link
Contributor

likeshumidity commented May 8, 2024
edited

Describe the bug

Setting MB_JETTY_SKIP_SNI always evaluates to false if unset and always evaluates to true if set because config/config-str being used instead of config/config-bool for :mb-jetty-skip-sni.

To Reproduce

  1. Generate a self-signed cert replacing YOUR.HOSTNAME with your hostname (can't be localhost and requires at least one . in the hostname. (May need to add a line to your /etc/hosts when using 127.0.0.1.)
# leave all prompted values for CN, CO, ST, etc. blank
$ keytool -keystore selfsigned-ip-cn-and-san-nohost.jks -storepass storepass -genkeypair -keyalg RSA -validity 365
  1. Set Jetty to run with SSL like below:
MB_SITE_URL=https://YOUR.HOSTNAME:8443
MB_JETTY_SSL=true
MB_JETTY_SSL_PORT=8443
MB_JETTY_SSL_KEYSTORE=/app/selfsigned.jks
MB_JETTY_SSL_KEYSTORE_PASSWORD=storepass
MB_JETTY_SKIP_SNI=false
  1. Set MB_JETTY_SKIP_SNI to any value (e.g. false, "false", true, "true", abc123)
  2. Run Metabase
  3. Metabase runs JETTY with SNI disabled
  4. To verify behavior with SNI enabled, comment out MB_JETTY_SKIP_SNI=false in the .env file which defaults to false and should see an SNI error since the hostname won't match the certificate

Expected behavior

  • Expect these to set :mb-jetty-skip-sni to false and enable SNI:
    • MB_JETTY_SKIP_SNI=false
    • MB_JETTY_SKIP_SNI="false"
    • not setting MB_JETTY_SKIP_SNI in the .env
  • Expect these to set :mb-jetty-skip-sni to true and disable SNI:
    • MB_JETTY_SKIP_SNI=true
    • MB_JETTY_SKIP_SNI="true"

Logs

If SNI enabled and hostname doesn't match certificate, then expect to see below in logs:
image

If SNI disabled, expect to see nothing unusual in the logs

Information about your Metabase installation

- `master` as of `0468c9a7f5946c9a9d3b91ced5cee9a68d81533e`
- v1.49.8

Severity

P1: Users unable to explicitly set MB_JETTY_SKIP_SNI to false

  • Metabase could be deployed with MB_JETTY_SKIP_SNI=false explicitly requiring SNI to address a risk and SNI would be disabled, and there may be no indication to administrator that it was not working unless they tried to verify it which would be unusual.

Additional context

https://metaboat.slack.com/archives/C052ZBWRG3W/p1715096284142429
@dosubot dosubot bot added the .Backend label May 8, 2024
likeshumidity added a commit that referenced this issue May 8, 2024
@likeshumidity
Update environment-variables.md
7baa0b2 
true and false were reversed. relates to #42435

Likely backwards because any value was returning truthy, so testing worked as expected when testing the non-default, but no-one tried testing setting the default explicitly.
@likeshumidity likeshumidity added Priority:P1 Security holes w/o exploit, crashing, setup/upgrade, login, broken common features, correctness and removed Priority:P1 Security holes w/o exploit, crashing, setup/upgrade, login, broken common features, correctness Priority:P2 Average run of the mill bug labels May 9, 2024
@likeshumidity
Copy link
Contributor Author

On the fence re: P1 vs P2, so can downgrade if needed. It seems most modern browsers warn users if SNI not enabled with a "your connection is not private" message or similar. But seems like an easy fix as well re: one line change.

@calherries calherries added .Team/AdminWebapp Admin and Webapp team and removed .Needs Triage labels May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
.Backend Operation/Environment variables Priority:P1 Security holes w/o exploit, crashing, setup/upgrade, login, broken common features, correctness .Team/AdminWebapp Admin and Webapp team Type:Bug Product defects
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@likeshumidity @calherries