Monday, December 27, 2010

Securing the Redmine_S3 plugin

We run redmine internally here at Fuery Solutions. Redmine is a fantastic tool for managing software development projects.

One of the unfortunate "features" redmine has is the habit of storing uploaded files without any security, regardless of whether the system itself is password protected or not. The redmine s3 plugin echoes this habit, setting all uploaded documents to readable by the entire internet. Obviously, the URLs are somewhat obscure, but as the cliche goes, obscurity is not security.

Here are instructions for altering the plugin to use temporary authorized URLs. This effectively offloads the security requirements to Amazon's formidable infrastructure.

These instructions apply to:

  • Redmine 1.0.x
  • Redmine_S3 v 0.03
Files you'll be editing (where "redmine" is your rails application root):
  1. redmine/vendor/plugins/redmine_s3/lib/redmine_s3/attachment_patch.rb
  2. redmine/vendor/plugins/redmine_s3/lib/redmine_s3/attachments_controller_patch.rb
  3. redmine/vendor/plugins/redmine_s3/lib/redmine_s3/connection.rb
First, we need to disable the "set newly uploaded files to be readable" command. This entails commenting a single line in attachment_patch.rb, on line 24:

#Private (not readable by everyone) is the default.

This handles newly created files. Next, we need to add the capability to retrieve a URI with the AWS temporary authorization keys. The S3 lib the plugin uses actually contains theses goodies already, so we just need a wrapper function in connection.rb that uses the QueryStringAuthGenerator class. This function isn't as clean as it could be, but we threw this together in an hour. Add this function to the Connection class in connection.rb:

def self.private_uri(filepath)
 load_options unless @@access_key_id && @@secret_acces_key
 @@qs_conn =, @@secret_acces_key, false) unless @@qs_conn
 @@qs_conn.get(bucket, filepath)

I added this on line 37, between the bucket and uri functions. You'll also, of course, need to initialize @@qs_conn by adding this at the beginning of the file (line 7 or so):

@@qs_conn = nil

Finally, we need to adjust the controller function that handles the response to the attachment GET requests themselves. Adjust attachments_controller_path.rb on line 23:

#Comment the current line 23.
#New code

Don't forget to restart your application after performing these changes. You'll also, of course, need to adjust the file settings in AWS for previously uploaded files. Although this new code works for viewing those files, the security settings ("visible to everyone") need to be reset manually.