The following is only relevant to self hosted deployments of Redash running version V4. If you’re using the hosted version (app.redash.io), you can ignore this entirely.
We recently got a responsible disclosure from Nathan Smith about a problem with Redash’s support for Google OAuth authentication. This issue was introduced in V4 and affects only this version. If you’re using Google OAuth to authenticate users into Redash, we recommend that you follow the suggested fix steps.
Starting with Redash V4, if you had Google OAuth enabled, Redash was revealing your OAuth Client Secret in its /api/config API.
To the best of our understanding, this is NOT an actual issue due to the way we use Google’s OAuth service. Redash only uses it to validate your identity and retrieve your profile information (name, email, profile picture).
The worst someone can do using the OAuth Client Secret is to read a user’s profile information, but that’s only after they get a hold of a user’s token which requires another attack vector on the user itself (unless you were not using HTTPS).
Having said that, to be on the safe side we encourage you to update your Redash deployment.
How to fix this?
The issue and the fix are simple and you can see the fix in this commit.
You can upgrade to version 4.0.2, using standard upgrade procedures. As an alternative, you can apply the patch manually:
- Edit the file redash/settings/__init__.py (full path depends on the way your Redash instance deployed).
- Change line 53 to:
GOOGLE_OAUTH_ENABLED = bool(GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET)
3. Save and restart the web service.
Once you done applying the fix, make sure to update your Google OAuth credentials.
Making sure Redash is secure is important to us. We’re planning on conducting an external audit of our hosted offering (which of course includes the open source codebase) in the coming months. The results and conclusions of this audit will be incorporated into future releases.