Bio Basespace SDK 0.1.7 Ruby Gem exposes API Key via command lin
Title: Bio Basespace SDK 0.1.7 Ruby Gem exposes API Key via command line
Date: 11/15/2013
Author: Larry W. Cashdollar, @_larry0
Download: http://rubygems.org/gems/bio-basespace-sdk
Description:
"BaseSpace Ruby SDK is a Ruby based Software Development Kit to be used =
in the development of Apps and scripts for working with Illumina's =
BaseSpace cloud-computing solution for next-gen sequencing data =
analysis. The primary purpose of the SDK is to provide an easy-to-use =
Ruby environment enabling developers to authenticate a user, retrieve =
data, and upload data/results from their own analysis to BaseSpace."
Vulnerability: The API client code passes the API_KEY to a curl command. =
This exposes the api key to the shell and process table. Another user =
on the system could snag the api key by just monitoring the process =
table.=20
In the following code snippet:
bio-basespace-sdk-0.1.7/lib/basespace/api/api_client.rb
# +headers+:: Header of the PUT call.
# +trans_file+:: Path to the file that should be transferred.
def put_call(resource_path, post_data, headers, trans_file)
return %x(curl -H "x-access-token:#{@api_key}" -H =
"Content-MD5:#{headers['Content-MD5'].strip}" -T "#{trans_file}" -X PUT =
#{resource_path})
end
Vendor: Notified 11/15/2013
Advisory: http://www.vapid.dhs.org/advisories/bio-basespace-sdk.html=