Skip to content

Latest commit

 

History

History
50 lines (43 loc) · 3.88 KB

attack-surface.md

File metadata and controls

50 lines (43 loc) · 3.88 KB

Attack Surface Analysis for conductor-oss/conductor

Attack Surface: 1. Workflow Definition Manipulation

  • Description: Attackers gain unauthorized access to create, modify, or delete workflow definitions via the Conductor API or persistence layer.
  • Conductor Contribution: Conductor's core functionality is defining and executing workflows. The API and persistence layer are provided by Conductor for managing these definitions.
  • Example: An attacker gains access to the Conductor API and creates a workflow that executes a shell script (within a poorly configured worker - but the ability to create the workflow is the Conductor issue). Alternatively, they modify an existing workflow to exfiltrate data.
  • Impact:
    • Arbitrary code execution (indirectly, via malicious workflows).
    • Data exfiltration.
    • Denial of service.
    • Business logic bypass.
    • System compromise (indirectly).
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Strong Authentication & Authorization: Implement robust authentication (OAuth 2.0, API keys with fine-grained permissions) and authorization (RBAC) for the Conductor API. MFA for administrative access. This is Conductor's API.
    • Input Validation: Conductor itself should strictly validate all workflow definitions. Use schema validation (JSON Schema) to enforce structure and content. Reject non-conforming definitions.
    • Audit Logging: Conductor should log all changes to workflow definitions, including who made the change and when.
    • Least Privilege (Conductor Server): The Conductor server process should run with minimal privileges. It should not have root/admin access.
    • Immutability (Consideration): Explore making workflow definitions immutable after deployment, preventing modifications without a formal process.

Attack Surface: 2. Unauthorized Task Execution

  • Description: Attackers directly trigger the execution of tasks via the Conductor API, bypassing workflow logic.
  • Conductor Contribution: Conductor's API provides endpoints for direct task manipulation and execution.
  • Example: An attacker discovers a Conductor API endpoint that allows starting a task directly. They use this to bypass workflow controls.
  • Impact:
    • Bypass of business logic and security controls.
    • Unauthorized actions.
    • Potential data issues (depending on the task).
  • Risk Severity: High
  • Mitigation Strategies:
    • API Authentication & Authorization: Strictly control access to Conductor's API endpoints for task manipulation. Use strong authentication and authorization (as above).
    • Rate Limiting: Conductor should implement rate limiting on task execution API endpoints.

Attack Surface: 3. Unauthenticated/Unauthorized API Access

  • Description: Attackers access the Conductor API without proper authentication or authorization.
  • Conductor Contribution: Conductor provides the REST API. Its security is a direct Conductor responsibility.
  • Example: The Conductor API is deployed without authentication. An attacker can directly access the API.
  • Impact:
    • Complete control over Conductor.
    • All impacts of workflow manipulation and unauthorized task execution.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Mandatory Authentication: Enforce authentication for all Conductor API endpoints. No unauthenticated access.
    • Strong Authentication: Use OAuth 2.0, JWT, or strong API keys.
    • Authorization (RBAC): Implement RBAC to restrict API access based on roles.
    • TLS/SSL: Always use TLS/SSL (HTTPS) for the Conductor API.