Beanstalkd / Pheanstalk security issue

2019-08-15 09:15发布

问题:

I have just started using beanstalkd and pheanstalk and I am curious whether the following situation is a security issue (and if not, why not?):

When designing a queue that will contain jobs for an eventual worker script to pick up and preform SQL database queries, I asked a friend what I could do to prevent an online user from going into port 11300 of my server, and inserting a job into the queue himself and hence causing the job to be executed with malicious code. I was told that I could include a password inside the job being sent.

Though after some time passed, I recognized that someone could preform a few simple commands on a terminal and obtain the job inside the queue, and hence find the password, and then create jobs with the password included:

telnet thewebsitesipaddress 11300 //creating a telnet connection
list-tubes //finding which tubes are currently being used
use a_tube_found //using one of the tubes found
peek-ready //see whats inside one of the jobs and find the password

What could be done to make sure this does not happen and my queue doesn't get hacked / controlled?

Thanks in advance!

回答1:

You can avoid those situations by placing beanstalkd behind a firewall or in a private network.

DigitalOcean (for example) offers such a service where you have a private network IP address which can be accessed only from servers of the same location.

We've been using beanstalkd in our company for more than a year, and we haven't had any of those issues yet.

I see, but what if the producer was a page called index.php, where when someone entered it, a job would be sent to the queue. In this situation, wouldn't the server have to be an open network?

The browser has no way to get in contact with the job server, it only access the resources /you/ allow them to, that is the view page. Only the back-end is allowed to access the job server. Also, if you build the web application in a certain way that the front-end is separated from the back-end, you're going to have even less potential security issues.