Search and browse documents and data; find the people and companies you look for.
During a routine security audit of Aleph we’ve become aware of ⚠️ security vulnerabilities ⚠️ in Aleph and ingest-file, the component that handles files uploaded to Aleph. We recommend that you update Aleph instances you operate to the latest patched releases:
Please find detailed information about the patched vulnerabilities below:
As part of the investigations feature, users can upload files to Aleph. The detail view in Aleph offers a sanitized preview of a file, but Aleph also allows users to download (unsanitized) source files. When downloading a source file, Aleph displays a confirmation prompt warning that source files may contain malware or notify the originator of the file.
After downloading a source file, files are opened automatically in the same browser window if the file’s MIME type is supported by the browser. This contradicts the warning that is displayed before downloading the file and potentially enables phishing attacks. For instance, an HTML file resembling the Aleph login interface could be uploaded for this purpose.
Aleph versions up to and including 3.15.5.
The vulnerability is exploitable if you have configured your Aleph instance to use Google Cloud Storage or AWS S3 (or a service compatible with S3) as a storage backend for files uploaded to Aleph via the “ARCHIVE_TYPE” configuration option. The default storage backend that stores files on the local file system is not affected.
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions set the “Content-Disposition” header to instruct browsers to download files as an attachment instead of opening them after the download has completed.
Aleph sends a daily notification digest via email to users. Notification digests are enabled by default and can be disabled by users.
When a user creates an investigation and then shares it with another user who has daily notification digests enabled, the name of the user who created the investigation and the name of the investigation aren’t properly sanitized or encoded.
This means that links and other HTML markup included in the user’s name or in the investigation name will be rendered as is in the notification email which can enable (targeted) phishing campaigns.
Aleph versions up to and including 3.15.5.
The vulnerability is exploitable if you have set up email sending for your Aleph instance via the “ALEPH_MAIL_*” configuration options.
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly encode user-controlled data in notification emails.
Aleph allows users to create entity mappings for uploaded spreadsheets. Using this feature, rows in a spreadsheet can be converted to FollowTheMoney entities in an investigation.
The access controls in the API endpoints for the mappings feature contain a bug that allows users without read or write access to the collection to view, update, trigger, and delete mappings as well as to delete or modify entities generated using a mapping.
The bug allows unauthorized access to the following mapping metadata:
The bug does not allow users to view the entities generated from the mappings or the contents of the source spreadsheet.
Aleph versions up to and including 3.15.5.
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly verify user permissions when sending requests to the API endpoints for the mappings feature.
Aleph allows users to manage metadata for investigations and datasets, including a label and a description as well as URLs to the publisher and source of the data. The metadata is displayed in the Aleph UI when viewing investigations and datasets.
Aleph allows users to specify a “foreign_id” when creating new investigations or datasets. The “foreign_id” can be used to reference the investigation or dataset when using the Aleph API or the alephclient CLI.
Due to a bug, when creating a new investigation or dataset with a “foreign_id” that is already used by another investigation or dataset, Aleph updates the metadata of the existing investigation/dataset instead of failing.
This bug allows users without the necessary permissions to update investigation and dataset metadata.
However, the bug does not allow unauthorized users to view investigation and dataset metadata or data added or uploaded to the investigation or dataset.
Aleph versions up to and including 3.15.5.
Aleph versions 3.15.6 and newer contain a patch for this vulnerability. Patched versions properly verify user permissions when creating or updating investigations or datasets.
Aleph allows uploading files to investigations and datasets. When a file is uploaded Aleph computes a checksum of the file contents and stores the checksum in the database. The uploaded file can later be retrieved using checksum as a reference. File checksums are represented as strings of hexadecimal characters, for example “ae9ce53fa78166704f5990601ec412d73fb1698a”.
Due to a bug in ingest-file users are able to upload specifically crafted files in order to create file records in the database with arbitrary checksums. This allows users to download files they do not have access to if they know the checksum of the file contents.
ingest-file versions up to and including 3.20.2. ingest-file is the component responsible for handling files you upload to Aleph.
ingest-file versions 3.20.3 and newer contain a patch for this vulnerability. The patch removes the ability to upload JSONL files that contain entities in the FollowTheMoney format to Aleph. If you have previously used this feature to create FollowTheMoney entities in Aleph in bulk, we recommend that you use the bulk endpoint of the Aleph API instead.
followthemoney to 3.5.8
ingest-file to 3.20.0 (also using followthemoney 3.5.8)Full Changelog: https://github.com/alephdata/aleph/compare/3.15.4...3.15.5
autoscaling/v2 API instead of autoscaling/v2beta1 by @richardjennings-occrp in https://github.com/alephdata/aleph/pull/3327 (fixes https://github.com/alephdata/aleph/issues/2998)⚠️ Because of this change the minimum Kubernetes version for the Aleph helm chart is now 1.23 ⚠️
Full Changelog: https://github.com/alephdata/aleph/compare/3.15.3...3.15.4
docker volume rm aleph_postgres-data aleph_postgres-data-e2e followed by make upgrade)make format-check as pull request "check" by @monneyboi in https://github.com/alephdata/aleph/pull/3282
Full Changelog: https://github.com/alephdata/aleph/compare/3.15.1...3.15.3
Full Changelog: https://github.com/alephdata/aleph/compare/3.15.0...3.15.1
Full Changelog: https://github.com/alephdata/aleph/compare/3.14.1-rc15...3.15.1-rc1
Full Changelog: https://github.com/alephdata/aleph/compare/3.14.1-rc15...3.15.0-rc2
Full Changelog: https://github.com/alephdata/aleph/compare/3.14.1-rc15...3.15.0-rc2
Introduced two new Settings which controll the scroll window of ElasticSearch queries made during xref operations:
ALEPH_XREF_SCROLL (defaults to 5m) is the 'scroll' parameter used on ES scan() calls for xref operations and configures how long a consistent view of the index should be maintained for scrolled searchALEPH_XREF_SCROLL_SIZE (defaults to 1000) is the 'size' parameter used on ES scan() calls for xref operations
and configures the size (per shard) of the batch sent for each iteration of a scanRemoved unnecessary packages from the UI docker image in #3129
Update Transifex config to work with the latest version of the tx CLI
Full Changelog: https://github.com/alephdata/aleph/compare/3.14.1...3.14.3
Sentry support
This release adds support for sending error tracebacks to sentry.io (or a self-hosted instance). This is controlled by two environment variables: SENTRY_DSN and SENTRY_ENVIRONMENT.
Fixed a flaky UI test (#3011)
ingest-file version bumped to 3.18.4
Use bump2version for the docker-compose files in contrib/ to automatically keep them up to date.
Full Changelog: https://github.com/alephdata/aleph/compare/3.14.0...3.14.1