Warning
This document is for an in-development version of Galaxy. You can alternatively view this page in the latest release if it exists or view the top of the latest release's documentation.
September 2017 Galaxy Release (v 17.09)¶
Highlights¶
- Singularity
- Tool execution using the HPC-friendly container technology Singularity is now supported. Custom containers can be specified by the Galaxy admin on a per job destination basis or standardized containers corresponding to Conda requirements can be built or downloaded automatically using the mulled toolkit built into Galaxy (just like is possible for Docker). For more information checkout this presentation from the 2017 Galaxy Community Conference. Pull Request 4175
- Download entire collection
- Downloading whole colections is now possible from the history interface. Pull Request 4098 Thanks to @mvdbeek.
- Switch tool versions in workflows
- You can now select exactly what version of tool you want to use when building workflows. Pull Request 4373 Thanks to @mvdbeek.
Get Galaxy¶
The code lives at Github and you should have Git to obtain it.
- To get a new Galaxy repository run:
$ git clone -b release_17.09 https://github.com/galaxyproject/galaxy.git
- To update an existing Galaxy repository run:
$ git checkout release_17.09 && git pull --ff-only origin release_17.09
See the community hub for additional details regarding the source code locations.
Security¶
The 17.09 Galaxy version includes many security patches. Per our new Security Policy some of these have been applied to Galaxy releases going back 12 months.
Details of the vulnerabilities that have been backported can be found in the Security patch details section of these release notes. Some issues have only been addressed in 17.09, for this reason if security is important to your Galaxy instance we strongly recommend upgrading to this latest release as soon as possible.
If you maintain a publicly accessible Galaxy please consider signing up for this mailing list to receive the future security patches in advance of the public disclosure.
Deprecation Notices¶
- The Galaxy Sample Tracking and External Services functionality is now considered deprecated. In the next releases we will remove it completely. Related PRs:#4526 #4872 .
- The deprecated admin-only interface for Galaxy Data Libraries is staged to be removed in the next release.
- Workflows API: When exposing WorkflowInvocationSteps
state
will no longer be available. - The
refresh_on_change
attribute of a<param>
tag in the tool syntax can no longer be set to a value of another parameter. Use boolean instead (e.g.refresh_on_change="True"
). Details - The endpoint
/api/configuration/toolbox
is now deprecated and will be removed in the future. All tools are now watched for changes and this feature became obsolete.
Release Notes¶
Enhancements¶
- Galaxy Workflow support for GenomeSpace (thanks to @nuwang and @gvlproject). Pull Request 1814
- Support tags (including new “name” tags) in data libraries. (thanks to @bwlang). Pull Request 4262
- HiCBrowser as Galaxy IE (thanks to @bgruening). Pull Request 3330
- Synnefo/Pithos+ object store backend (thanks to @saxtouri). Pull Request 3611
- Add job runner for Chronos (thanks to @theosotr). Pull Request 3946, Pull Request 4120
- Many improvements to the shell job runner (including a new Paramiko based runner with retry support) (thanks to @mvdbeek). Pull Request 4358, Pull Request 4599, Pull Request 4343
- Add entry for
empty_extra_files_path
validator (thanks to @gregvonkuster). Pull Request 3994 - Extend async data sources to support dataset collections (thanks to @fabio-cumbo). Pull Request 4198
- Add a repository uninstall endpoint to the tool dependency API (thanks to @mvdbeek). Pull Request 4248
- Display preview feature for Bam datatype (thanks to @ashvark). Pull Request 4279
- Add Unipept taxonomy viewer plugin (thanks to @caleb-easterly). Pull Request 4310
- Created alphabetic and numerical sort tool for collection operations (thanks to @glormph). Pull Request 4329
- Prevent loading tools that require a newer galaxy (thanks to @mvdbeek). Pull Request 4382
- Add explicit support for gzipped VCF files (thanks to @ffinfo). Pull Request 4254
- Add ptkscmp datatype (thanks to @gregvonkuster). Pull Request 4259
- Add imzML datatype (thanks to @bgruening). Pull Request 4370
- Add deepTools datatypes to Galaxy (thanks to @bgruening). Pull Request 4392
- Add support for the MEME psp format (thanks to @gregvonkuster). Pull Request 4430
- Add biom2 datatype (thanks to @shiltemann). Pull Request 4519
- Add Excel97 Datatype Pull Request 4410
- Add mz5 datatype (thanks to @bgruening). Pull Request 4466
- Refactor tool error reporting into plugins and implement a new plugin for influxdb (thanks to @hexylena). Pull Request 4305, Pull Request 4533
- Implement second toolshed installation UX targetting the API. Pull Request 3626
- Tool-Describing-Tours (thanks to @anatskiy). Pull Request 4019
- Revamp configuration and default server for tool shed and Galaxy reports application (these now use a uwsgi server by default configured with a YAML configuration file). Pull Request 3179
- Speed up and optimize the process of identifying public libraries. Pull Request 4640
- Numerous data library fixes and improvements - both to the frontend and backend. Pull Request 4568, Pull Request 4595, Pull Request 4594, Pull Request 4579, Pull Request 4560 Pull Request 4512, Pull Request 4621, Pull Request 4752
- Enhance workflow import API endpoint to allow admins to install repositories corresponding to a supplied workflow (thanks to @manabuishii). Pull Request 3064
- GFF3 support in filter by attribute (thanks to @peterjc). Pull Request 3076
- Add extension point for user preferences (thanks to @bgruening). Pull Request 3383
- Respect
expose_user_email
configuration in data libraries permissions list. Pull Request 4611 - Explicitly include PyPI as an
--extra-index-url
to pip. Pull Request 4674 - Improved Kubernetes support (non-privileged filesystem access, updated k8s Job API target) (thanks to @phnmnl). Pull Request 3972
- New Dependency resolver for the LMOD environment modules system (thanks to @arbernard). Pull Request 4489
- Nicer tool click targets for toolbox (thanks to @hexylena). Pull Request 4470
- Implement a “plain” bootstrap theme for the UX (thanks to @hexylena). Pull Request 4470
- Add Selenium tests for the “saved histories”, “published histories”, and “custom builds” (thanks to @anatskiy). Pull Request 4587, Pull Request 4502, Pull Request 4641,
- Dozens of Selenium functional test enhancements and fixes Pull Request 3993, Pull Request 4523, Pull Request 4524, Pull Request 4549, Pull Request 4588, Pull Request 4589, Pull Request 4647, Pull Request 3992, Pull Request 4003, Pull Request 4053, Pull Request 4576, Pull Request 4561, Pull Request 4531, Pull Request 4564, Pull Request 4582, Pull Request 4586, Pull Request 4592, Pull Request 4042
- Prevent graphite from dying loudly (thanks to @hexylena). Pull Request 4036
- Updated parameters check for OpenID (thanks to @VJalili). Pull Request 4039
- Tooltip translation . Add Deutsch,Spanish (thanks to @ValentinChCloud). Pull Request 4045
- New Workflow Management Screen UI using JavaScript (thanks to @bgruening). Pull Request 4047
- Improve release checklist Pull Request 4077
- Fix French translation errors (thanks to @yvanlebras). Pull Request 4080
- remove the content alert from TS response Pull Request 4082
- Touchup .gitignore to not ignore new bundles. Pull Request 4091
- New Configure Workflow Menu UI (thanks to @bgruening). Pull Request 4092
- get real user name from username and email (for submission as real user with drmaa) (thanks to @bernt-matthias). Pull Request 4096
- Security policy (thanks to @hexylena). Pull Request 4113
- Improved styling of workflow list. Pull Request 4138
- Swap over all URLs to new wiki location (thanks to @hexylena). Pull Request 4141
- Documentation fixes and improvements (thanks to @nsoranzo). Pull Request 4146
- Slider enhancement, shared event listeners Pull Request 4149
- Add the ability to control job conf plugin loading from environment variables. Pull Request 4154
- Replace various mako templates with client side JavaScript rendering. Pull Request 4157, Pull Request 4167, Pull Request 4169, Pull Request 4201, Pull Request 4311, Pull Request 4377, Pull Request 4411, Pull Request 4334, Pull Request 4305, Pull Request 4067, Pull Request 4327
- Related to the above mako transition, rework various “grid” rendering code to do more on the client side as well. Pull Request 4302, Pull Request 4291, Pull Request 4293, Pull Request 4385, Pull Request 4405, Pull Request 4449, Pull Request 4263, Pull Request 4341, Pull Request 4163, Pull Request 4101
- Set content type to application/json for JSON text types. Pull Request 4160
- Assorted enhancements for container support (both for mulled container generation and fetching as well as to new Singularity support). Pull Request 4173, Pull Request 4179, Pull Request 4180, Pull Request 4185
- Make updateucsc.sh.sample usable without any change (thanks to @nsoranzo). Pull Request 4192
- deals with .xls older file extension (thanks to @FredericBGA). Pull Request 4200
- add dev requirement Pull Request 4008
- Improve search plugin (thanks to @bgruening). Pull Request 4213
- Upgrading Neo4j IE to 3.1 (thanks to @thobalose). Pull Request 4216
- Running a word count on a compressed fastq file now runs wc on the un… (thanks to @dpryan79). Pull Request 4226
- “Join two Datasets” (join1) preserve column headers (thanks to @lecorguille). Pull Request 4229
- Add public-only filter for data libraries (thanks to @pvanheus). Pull Request 4232
- Fix import order and Python3 compatibility for 51 files (thanks to @nsoranzo). Pull Request 4236
- Sniff fastqsanger and prefer it over fastq if the quality scores match (thanks to @dpryan79). Pull Request 4237
- Enable skipping comment lines while sniffing files (thanks to @dpryan79). Pull Request 4239
- Expose 4 more rows from the galaxy_user table to help out sys admins (thanks to @XDtim). Pull Request 4255
- Change ‘register or login’ to just ‘login’ if ‘allow_user_creation=False’ (thanks to @scholtalbers). Pull Request 4258
- Keep tool parameters when rerunning a job (thanks to @mvdbeek). Pull Request 4271
- More uniform backend code for generating page titles (thanks to @hexylena). Pull Request 4272, Pull Request 4578
- Fix blockquote>p sizing (thanks to @hexylena). Pull Request 4273
- Expose more user properties to admins via the API. Pull Request 4274
- Ensure tags are copied and presented when moving collections (thanks to @pvanheus). Pull Request 4277
- Add
test_errors
to .gitignore. Pull Request 4278 - Implement package locking for node modules. Pull Request 4283
- Enhancement for Phylocanvas plugin (thanks to @bgruening). Pull Request 4284
- Improve security via local network access restrictions (thanks to @hexylena). Pull Request 4289
- Enhancement for Phyloviz viz plugin (thanks to @bgruening). Pull Request 4292
- Allow submitting the galaxy jobs as a predefined system user using
real_system_username
(thanks to @ashvark). Pull Request 4294 - Update Japanese translation (thanks to @manabuishii). Pull Request 4304
- Allow localization of more UI strings (thanks to @manabuishii). Pull Request 4306, Pull Request 4307
- Allow import of history archives via simple file upload (thanks to @mvdbeek). Pull Request 4326
- Fix some French errors (thanks to @loraine-gueguen). Pull Request 4337
- Updated the version requirements (thanks to @VJalili). Pull Request 4342
- CSRF protection for login, logout, and user registration (most parts of the Galaxy UI still don’t have explicit CSRF protection). Pull Request 4365, Pull Request 4710
- Implement
default_identifier_source
for tool collection outputs and sort input keys by default (thanks to @mvdbeek). Pull Request 4368, Pull Request 4380 - Galactic Radio Telescope Update (thanks to @hexylena). Pull Request 4376
- Show minimum required galaxy version in tool shed and galaxy installation process (thanks to @mvdbeek). Pull Request 4386
- Cleanup of Unit Test Code for Loading Tools Pull Request 4387
- Refactor ToolOutputCollectionStructure… Pull Request 4389
- Slightly improve workflow warnings/errors logging. Pull Request 4396
- Better Error Summaries for API Tests Pull Request 4397
- Fix import order and Python3 compatibility for lib/galaxy/web/base/ (thanks to @nsoranzo). Pull Request 4403
- Generalize allow_library_path_paste to allow_path_paste. Pull Request 4404
- Small GRT bugfixes (thanks to @hexylena). Pull Request 4408
- Update conda channel order to sync with Bioconda (thanks to @nsoranzo). Pull Request 4409
- Fixes and enhancements for the upload API Pull Request 4417
- Avoid adding (imported from API) to workflows (thanks to @chambm). Pull Request 4434
- Enhanced tool options for dataset discovery Pull Request 4437
- Augment form module separation Pull Request 4438
- Fix E201 and E202 style errors (thanks to @nsoranzo). Pull Request 4440
- Add autopep8 script to help rebasing branches after #4440. Pull Request 4447
- Uniform indentation of multiline if conditionals (thanks to @nsoranzo). Pull Request 4455
- Small logging improvements (thanks to @nsoranzo). Pull Request 4456
- Improvements to Sentry integration (thanks to @hexylena). Pull Request 4457, Pull Request 4471
- Fix for GIEs to not automatically uppercase environment variables (thanks to @xgaia). Pull Request 4458, Pull Request 4454
- Fix security checking of WorkflowInvocation for published workflows (thanks to @mvdbeek). Pull Request 4465
- Show more items per page in saved history view and directly show tags (thanks to @mvdbeek). Pull Request 4467
- A variety of usability improvements to the workflow index page (show tags, allow import by drag-and-drop, and avoid unneeded page refreshs) (thanks to @mvdbeek). Pull Request 4476, Pull Request 4369
- Use pysam instead of samtools binary when discovering BAM metadata in one place (samtools is still required by Galaxy) (thanks to @nsoranzo). Pull Request 4479
- Replace exclamation with a clock icon for “new” datasets in the history panel. Pull Request 4485
- Minor copy datasets dialog improvement. Pull Request 4486
- 41% reduction in freiburg galaxy startup time (thanks to @hexylena). Pull Request 4495
- Allow paramiko cli to recover from ssh timeout (thanks to @mvdbeek). Pull Request 4503
- Tests and clarifications for composite uploads. Pull Request 4505
- Load tools with collection type source attributes into the workflow editor Pull Request 4514
- Display d3 hierarchy datatype in upload interface Pull Request 4522
- Sync non-CWL galaxy-lib changes. Pull Request 4535
- Add a small howto on profiling galaxy code (thanks to @mvdbeek). Pull Request 4542
- allow linking, posix and spaces conversions in datalib imports Pull Request 4547
- Allow exporting workflows when tool is uninstalled (thanks to @mvdbeek). Pull Request 4553
- Lower threshold for auto-matching dataset pairs in the collection builder Pull Request 4555
- Allow working with pbzip2 compressed files (thanks to @mvdbeek). Pull Request 4559
- add logging to ts index building Pull Request 4567
- Add show/hide deleted/hidden links when history is filtered… (thanks to @chambm). Pull Request 4581
- Python 3 fixes for set_metadata.py Pull Request 4607
- Allow adding new data tables without restart (thanks to @mvdbeek). Pull Request 4617
- remove .git and .hg from recursive file search (thanks to @bgruening). Pull Request 4636
- Better handling of long id secrets when generating per-kind encryption keys. Pull Request 4713
- Add test case clarifying datasets do get “renamed” by rename PJA in collections. Pull Request 3983
- Add some test tools for collection job failures. Pull Request 4044
- Merge ShedToolLineage and StockLineage to ToolLineage (thanks to @mvdbeek). Pull Request 4119
- Move PlantTribes datatypes to a separate file with enhancements and fixes (thanks to @gregvonkuster). Pull Request 4137
- Move
galaxy.tools.toolbox.cache
togalaxy.tools.cache
. Pull Request 4155 - Small code style and error message fixes for data library code (thanks to @bwlang). Pull Request 4250
- Refactors tag manager to not consume the unneeded
app
argument (thanks to @bwlang). Pull Request 4253 - Use contextmanager when using
compression_util.get_fileobj()
(thanks to @mvdbeek). Pull Request 4270 - Swap the deprecated
unescape()
fordecodeURIComponent
. Pull Request 4321 - More consistent formatting for model mapping code (thanks to @VJalili). Pull Request 4333
- Merge configure menu with main workflow view (thanks to @bgruening). Pull Request 4353
- Delete
conda_exec_home
instead ofenv['HOME']
(thanks to @mvdbeek). Pull Request 4360 - Replace list with generator when iterating headers in datatypes code (thanks to @mvdbeek). Pull Request 4388
- Get tools with
tool_version
in more places (thanks to @mvdbeek). Pull Request 4391 - Fix issues identified by the JavaScript linting application lgtm. (thanks to @xiemaisi). Pull Request 4421
- Remove /mobile and associated templates (the code was unused and broken). Pull Request 4494
- Workflow loading speedup (thanks to @mvdbeek). Pull Request 4500
- Prevent transient job state API test failures from failing the build. Pull Request 4510
- More robust workflow invocation testing. Pull Request 4530
- Refactor history import/export tests to allow collection testing. Pull Request 4534
- Refactor test modules toward cleaner dependencies Pull Request 4536
- Prevent in-place editing of uploaded files if files are imported from the FTP folder (thanks to @mvdbeek). Pull Request 4539
- Speedup toolform building (thanks to @mvdbeek). Pull Request 4541
- Check user roles only once if user has no roles (thanks to @mvdbeek). Pull Request 4546
- Remove unused bam to bai converter (thanks to @mvdbeek). Pull Request 4598
- Remove various unreachable statements (thanks to @hexylena). Pull Request 4603
- Refactored a dataset variable to HDA (thanks to @VJalili). Pull Request 4630
- Disable MacOS tests on TravisCI. Pull Request 4631
Fixes¶
- Various hashtag (or name tag) fixes (also backported to 17.05). Pull Request 4139, Pull Request 4188
- Simplify RC creation in Makefile. Pull Request 4011
- Do not recurse in
ensure_installed()
(thanks to @bernt-matthias). Pull Request 4049 - Minor fixes for new locales, rebuild of client. Pull Request 4050
- French translation error (thanks to @yvanlebras). Pull Request 4051
- Minor history tour tweaks. Pull Request 4061
- Improve tour button logic (thanks to @bagnacan). Pull Request 4062
- Bug fix to prevent fetching the file path of purged files (thanks to @dpryan79). Pull Request 4066
- ToolShed tool dependency install fixes (thanks to @nsoranzo). Pull Request 4105
- Fix legacy Python path for genome diversity tools from miller lab. Pull Request 4117
- Avoid locale specific string.letters for job_name (thanks to @peterjc). Pull Request 4121
- Fix typo in job_conf.xml.sample (thanks to @manabuishii). Pull Request 4126
- Hide error highlighting if user interacts with highlighted field Pull Request 4147
- Fix webhooks loading URL. Pull Request 4158
- Fix older GIE config sample description. Pull Request 4164
- Fix #3990, don’t chown non-galaxy files (thanks to @dpryan79). Pull Request 4186
- Debug of script library_upload_dir.py (thanks to @FredericBGA). Pull Request 4199
- Correct name of neo4j datatype class (thanks to @pvanheus). Pull Request 4223
- Fix
Registry.get_datatype_by_extension()
to returnNone
ifext
is unknown (thanks to @nsoranzo). Pull Request 4224 - Avoid broken version of Mercurial in conda (thanks to @bwlang). Pull Request 4227
- Fix empty tabular output error when using discover_datasets. (thanks to @pkrog). Pull Request 4240
- Fix importing old exported histories. (thanks to @cche). Pull Request 4268
- Update
tool_conf.xml.main
to reflect usegalaxy.org’s current state. Pull Request 4295 - Fix
TypeError
when uploading large files from FTP to S3. (thanks to @jlhg). Pull Request 4315 - Fix for loading tools when
tool.lineage is None
. Pull Request 4317 - Fix for the caching of location filenames when they are broken symlinks. Pull Request 4318
- Remove print debug option from toolshed. Pull Request 4332
- Fix default output labels for subworkflows (thanks to @mvdbeek). Pull Request 4346
- Search overlay plugin bug fix (thanks to @bgruening). Pull Request 4348
- Tool version and lineage fixes (thanks to @mvdbeek). Pull Request 4375
- Fix bug in
scripts/extract_dataset_part.py
during task splitting. Pull Request 4383 - Fix
get_tool
returning list when it shouldn’t. Pull Request 4390 - Bug fix for loading subworkflows from workflow descriptions. Pull Request 4394
- Bug fix
__str__
method on tool parsers that previously would throw anException
. Pull Request 4395 - Add missing chemical formats to
datatypes_conf.xml.sample
(thanks to @nsoranzo). Pull Request 4413 - Don’t cast
tool_version
to string iftool_version
is None-type (thanks to @mvdbeek). Pull Request 4420 - Some unicoding for local runner (thanks to @hexylena). Pull Request 4426
- Break connection in workflow editor if necessary (thanks to @mvdbeek). Pull Request 4431
- Fix private role validation. Pull Request 4432
- Remove print of non-existent attribute ‘content’ (thanks to @chambm). Pull Request 4439
- Fix quota function name Pull Request 4469
- Fixes for VCF/BCF datatypes (thanks to @nsoranzo). Pull Request 4477
- Validate workflow step after step argument injection. Pull Request 4483
- Fix drag and drop from history for Firefox Pull Request 4496
- 2017-08 Security Patch (thanks to @hexylena). Pull Request 4501
- Fix history import if using symlink in database directory (thanks to @FredericBGA). Pull Request 4511
- Fix missing tools in the workflow editor (thanks to @mvdbeek). Pull Request 4552
- Prevent unbound variable error history controller. Pull Request 4557
- Backport uwsgi fix from #2836. Pull Request 4565
- Bug fix startup of galaxy when webhooks dir is empty (thanks to @mvdbeek). Pull Request 4570
- Fix delete option in history menu. Pull Request 4574
- Cancel workflow invocations when histories are deleted. Pull Request 4580
- Multiview missing histories fix Pull Request 4610
- Fix virtualenv activation for some scripts (thanks to @nsoranzo). Pull Request 4616
- Pulsar remote metadata fixes Pull Request 4622
- Swap sanitize whitelist form to use a post. Pull Request 4625
- Fix various spelling and grammatical error fixes. Pull Request 4626
- Typo fix (thanks to @VJalili). Pull Request 4628
- Updated function description and fix some typos (thanks to @VJalili). Pull Request 4629
- Fix display of data in “custom builds” page (thanks to @anatskiy). Pull Request 4634
- Do not wrap lines in the upload URL fetch. Pull Request 4639
- Explicitly write registry.xml when creating a job for the upload tool (thanks to @mvdbeek). Pull Request 4644, Pull Request 4600
- Fix links on workflow, history items. Pull Request 4656
- Fix for modules resolver. Pull Request 4663
- Remove overly chatty debug statement. Pull Request 4671
- Client side fixes for GIEs. Pull Request 4680
- Update target versions of conda and conda-build (thanks to @nsoranzo). Pull Request 4701
- Correct base route for workflows, allowing proxy-prefix to work. Pull Request 4705
- Cachebust IE require’d files (jupyter.js, etc). Pull Request 4714
- Add message (error and info) display to workflows display list. Pull Request 4716
- If the newest version of a tool is hidden, load the newest older version, if any, into the tool panel. Pull Request 4726
- Fix missing support for command_inject when using containers lib in GIEs. Pull Request 4740
- Fix t, a, g, s returned in to_dict() method (thanks to @mvdbeek). Pull Request 4742
- Fix joiner tool to inherit datatype from the input format Pull Request 4745
- Fix auth with
ldaps://
(thanks to @abretaud). Pull Request 4748 - Force onload webhooks to wait for Galaxy object (and root) resolution. Pull Request 4750
- GIEs: Grandfather automatic uppercasing of some env_override variables Pull Request 4760
Security patch details¶
Limited Galaxy Data Library unauthorized filesystem access¶
Tracked as GX-2017-0001
A medium severity security vulnerability in Galaxy Data Libraries was recently discovered by Jelle Scholtalbers. This vulnerability allows the following unauthorized actions:
- Any user that has been granted the permission to add datasets to a library, library folder, or to modify an existing library dataset (an “authorized user”), is able to import any file on the system that is readable by the user running the Galaxy server.
- Anyone can create libraries and library folders (but not add datasets to them)
The fix for this issue has been applied to Galaxy releases back to 16.07 and can be found in this commit
Arbitrary code execution for Galaxy servers with Galaxy Interactive Environments enabled¶
Tracked as GX-2017-0002
A high severity security vulnerability was recently discovered in Galaxy Interactive Environments (GIEs) by the Galaxy Committers Team. Anyone with a Galaxy account can exploit this vulnerability to execute arbitrary code on the Galaxy server as the user running the Galaxy server process.
The vulnerability only affects Galaxy servers on which Galaxy Interactive
Environments are enabled (by setting the
interactive_environment_plugins_directory
option in galaxy.ini
). Because the vulnerability can be exploited to
execute arbitrary code, the impact for affected servers is severe.
Administrators of Galaxy servers where GIEs are enabled should update immediately.
The fix for this issue has been applied to Galaxy releases back to 17.05 and can be found in this commit
Unauthorized filesystem access via data source tools¶
Tracked as GX-2017-0003
A medium severity security vulnerability in tools utilizing the Galaxy data source protocol was recently discovered by the Galaxy Committers Team. Anyone who is able to run an external data source tool can access any file that is readable by the user running Galaxy jobs on the host where the job runs.
Many such “external data source” tools are provided with the Galaxy
distribution and are enabled by default (most tools under the “Get Data”
section of the tool panel), meaning that its exploitability is fairly high,
as only one such tool needs to be enabled to be vulnerable, including any
custom data source tools (any tool that uses
tools/data_source/data_source.py
).
What files are readable depends entirely upon what the job’s user has
access to read on the host(s) where jobs run.
The fix for this issue has been applied to Galaxy releases back to 16.07 and can be found in this commit
Cross site scripting and session fixation¶
Disclosed on the mailing list in August 2017.
Vulnerabilities were found by Helena Rasche and Manabu Ishii respectively. Detailed descriptions of these categories of vulnerabilities can be found at:
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://www.owasp.org/index.php/Session_fixation
The fix for these issues has been applied to Galaxy releases back to 16.10 and can be found in this diff
To stay up to date with Galaxy’s progress watch our screencasts, visit our community hub, and follow @galaxyproject on Twitter.
You can always reach us on Gitter or IRC.
Thanks for using Galaxy!