Some New Endpoints Return Sensitive Data - Should Require Auth #871
Comments
MikeNeilson
added
hec-approved-W912HQ21F0163-4b
|
Its possible there is still a place or two. I'm checking |
|
oh, right. the IT will need the auth added too |
|
Auth added by Ryan to this endpoint. Other concerns as follows: |
|
MQ would be authorized only; unless a compelling argument is made otherwise. But even then the scope of data would be limited. CLOB/BLOB. fair point. Will require further consideration. |
|
Though it dawns on me that properties, and probably water supply, and honestly most of the "REGI" derived endpoints should be authorized even for read. Charles also found some hostnames in the properties that we assume were stored by REGI, but it also makes sense that that particular properties endpoint isn't for public consumption. |
|
Project lock endpoints and properties were merged under the attached PR's. Closing this issue. |
The following are endpoints that I tested and that, for some reason or another (REGI?), have IP address/User Information/Hostnames in them.
Would the best method be to force authentication of these GET requests?
Project Lock Rights Endpoint
Command
Result
Having a user in REGI create a lock, then running that to see the output gives this
[ { "office-id": "SWT", "project-id": "ALTU", "application-id": "regi;daily ops", "acquire-time": 1725640446000, "session-user": "<USERNAME REDACTED>", "os-user": "<USERNAME REDACTED>", "session-program": "JDBC Thin Client", "session-machine": "<SYSTEM HOSTNAME REDACTED>" } ]Project Lock Revoker Rights Endpoint
Command
Result
[ { "office-id": "SWT", "project-id": "BIGH", "application-id": "regi", "user-id": "<REDACTED USERID 1>" }, { "office-id": "SWT", "project-id": "WAUR", "application-id": "regi", "user-id": "<REDACTED USERID 2>" }, ... ]The text was updated successfully, but these errors were encountered: