potentially broken security@nodejs.org

[mcollina]

A friend of mine sent an email to security@nodejs.org, but the vulnerability never popped up in hackerone.

Can somebody verify everything is working as expected? Thanks

[lirantal]

it's configured here: https://github.com/nodejs/email/blob/master/iojs.org/aliases.json#L44
/cc @nodejs/website and @reedloden from hackerone to see if there should be any change in that hackerone fwding address.

[rvagg]

There's an additional layer of indirection via the Linux Foundation who manage @nodejs.org as a Google Apps account. We only control @iojs.org.

[reedloden]

I just tested it, and it worked fine for me. You can test it yourself by sending an email to the address (it won't create a report until you follow the directions in the e-mail you get back).

Perhaps the person didn't notice the email reply and/or follow the directions in the email? Looks like this:

[mcollina]

I think we should document this wherever security@nodejs.org is specified. It might get unnoticed.

(everything was sorted btw)

[lirantal]

@rvagg probably best to further update any documentation necessary in https://github.com/nodejs/email ?

[rvagg]

nodejs/email#126

[indutny]

The mailing list appears to be broken again: envoyproxy/envoy#5155 (comment) . The report was sent two times to the mailing list, but is nowhere to be found on the HackerOne! 😭

[reedloden]

@indutny I just tested it, and it's working fine. 🤷‍♂️

Again, e-mailing will not immediately create a report. You will receive a reply back from HackerOne with a link to finalize the report submission via the web portal. Perhaps they were overlooking the reply back?

[htuch]

@reedloden I just checked my e-mail (including spam) and see nothing from HackerOne. Is there any way to get some audit information from HackerOne on what happened here?

[reedloden]

@reedloden I just checked my e-mail (including spam) and see nothing from HackerOne. Is there any way to get some audit information from HackerOne on what happened here?

Can you provide the e-mail address you used? If you don't want to post it here, feel free to e-mail me at reed [at] hackerone.com. Would be happy to take a look at logs.

[reedloden]

DMARC strikes again.

The e-mail was received, but it wasn't parsed correctly because the From was security@nodejs.org due to Google Groups rewriting the e-mail due to @htuch's e-mail domain have a DMARC policy of p=reject.

The e-mail went like this:
@htuch's email provider --> Google Group (security@nodejs.org) --> Mailgun (security@iojs.org) --> HackerOne (nodejs-79566c66a30b0312@forwarding.hackerone.com).

We'll see what we can do on our side, but a fix on the Node.js side would be to directly forward mail rather than going through any intermediates that rewrite the From header.

[rvagg]

I've put in a request to the LF to have security@nodejs.org changed to a direct forward to nodejs-79566c66a30b0312@forwarding.hackerone.com.

This is a little bit sad because the intention of the iojs.org domain is that we control that and don't need to defer to the Linux Foundation who control nodejs.org.

[reedloden]

Can you do the same for security-ecosystem@ please?

…

On Thu, Apr 11, 2019 at 5:42 PM Rod Vagg ***@***.***> wrote: I've put in a request to the LF to have ***@***.*** changed to a direct forward to ***@***.*** This is a little bit sad because the intention of the iojs.org domain is that *we* control that and don't need to defer to the Linux Foundation who control nodejs.org. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#454 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAVf-1uUbhhMXE1qi6Z0qd1mmZRfwbb-ks5vf9aGgaJpZM4Y80DP> .

[rvagg]

The Linux Foundation helpdesk has gone Jira for handling requests so my request got bounced and and you now need to log in to get anything done with them. I have very limited patience when dealing with the LF so I'm going to ask @MylesBorins or @mhdawson to please handle these if they don't mind.

Myles & Michael, please see the additional request above ^ security-ecosystem@nodejs.org should go to nodejs-ecosystem-f6dff0c98b32758c@forwarding.hackerone.com.

[mhdawson]

I submitted the Jira request and it has been completed.

[mhdawson]

But just saw the new request. New request: https://jira.linuxfoundation.org/servicedesk/customer/portal/2/IT-16269

[rvagg]

thanks @mhdawson!

[mhdawson]

The response for the additional request was:

Hello,

security-ecosystem@nodejs.org already goes to 
nodejs-ecosystem-f6dff0c98b32758c@forwarding.hackerone.com. 

[sam-github]

@mhdawson https://jira.linuxfoundation.org/servicedesk/customer/portal/2/IT-16269 isn't viewable publically. Its good to have it there for completion, but just mentioning here because its not possible, or at least not for me, probably others, to see what state the request is in.

[sam-github]

So, is this all working now? Can the issue be closed?

[htuch]

@sam-github I guess a question is "how do we know if this is continually working?". I almost think something like a periodic prober would be warranted given the history of this issue. That said, I'm not a member of Node.JS security WG, so feel free to close if you wish.

[sam-github]

@htuch nodejs/build have trouble maintaining current infrastructure, I don't think we have capacity to add more, but if you'd like to join the build WG and maintain such a thing, or help in any other way, that would be great.