Open OnDemand 3.0.2 has been released fixing a couple security vulnerabilities along with some bugfixes.
Security fixes:
- Ruby code execution on the webnode. Versions 3.0.1 and below (i.e., all versions) are vulnerable to malicious users executing arbitrary Ruby code on the web node which could result in fork bombs or similar.
- Several updates to the
ALLOWLIST_PATHfeature have been made. There were several routes for users to view files outside of the ALLOWLIST.- Unix permisisons can never be circumvented, but even so, users could see files outside of this ALLOWLIST.
- Sites who don’t use the
ALLOWLIST_PATHare unaffected by this.
Bug Fixes:
- The files app can correctly download hidden files and folders.
auto_modulescorrectly filters hidden modules.auto_moduleswill now correctly show module with hyphens (-) in the name, though users have to use underscores (_) when templating scripts.- Quality and Compression inputs correctly work on VNC applications (this was broken in 3.0.1) (and thank you @ndusek for the patch!).
- File editor now support Fortran highlighting.
Lastly I want to give a big thanks the team at CSC - IT Center for Science, Finland who disclosed the security vulnerabilities to us! Thank you!