Hubot security considerations

 I'm currently working in a project that integrates Hubot with an external system. If you don't know anything about Hubot you can read more here. It's definitely a very endearing project commissioned by Github.

In this small post, I would like to make some security considerations that I thought being useful for someone who needs to install Hubot in production

DIE command

The default Hubot installation (the one that is created by hubot --create mybot) exposes a DIE command, included in the ping.coffee file in the scripts folder. Any user in the room can invoke it as 'hubot DIE'. This command just simply terminates the current hubot instance. A possible mitigation for this risk could be just remove the ping.coffee file from the scripts folder or modify it commenting the command. You could also add an if clause to check if the user running the command has a given role.

Show Storage command

Another command available by default is the 'show storage' command, included in the storage.coffee file. This command shows all the data stored in brain (well, not all data since it's just showing the brain JSON object at a maximum of a depth 4). This command is available for everyone, so be aware of what kind of information you're storing in brain. If you are going to install custom scripts that store sensitive information in brain, you should consider  remove this command or add some restrictions on running it. You could also encrypt the data before saving in brain.

Auth vs Roles scripts

The default Hubot installtions loads two scripts to manage roles in hubot

• auth.coffee - Only users registered in HUBOT_AUTH_ADMIN env variable can manage roles (kind of secure mode). In this mode only the instance admins can do 'hubot user1 has god role'. 
• roles.coffee - Everyone in the room can manage roles (kind of a free mode). In this mode everyone can do 'hubot user1 is god'

These modes are mutually exclusive. If env variable HUBOT_AUTH_ADMIN is defined and has values (comma separated list of admin user IDs) then hubot uses the auth script, otherwise hubot uses the roles script. Make sure you define the variable HUBOT_AUTH_ADMIN with the list of user IDs that will be the hubot admins.

HTTP Endpoint secured

You can expose HTTP endpoints inside Hubot which will run hubot commands. Hubot uses internally the Express framework. By default, Hubot exposes these endpoints without any kind of security enabled. We can enable basic authentication by setting the enviroment variables EXPRESS_USER and EXPRESS_PASSWORD. It's strongly recommended to user strong passwords.

Finally I would like to recommend the book Automation and Monitoring with Hubot from Tomas Varaneckas. I bought the book when I started to work with Hubot and I have to say that it helped me a lot to enter quickly inside the world of Hubot.