Fix vulnerabilities raised by sonalift

[tloubrieu-jpl]

🐛 Describe the bug

See for example https://lift.sonatype.com/results/github.com/NASA-PDS/registry-api/01G0G09HRN3M99XVM8V7BS0KGK

[al-niessner]

@tloubrieu-jpl

Is there an easy way to run these manually?

[tloubrieu-jpl]

@al-niessner I have no idea...

[tloubrieu-jpl]

Re-opened because of I&T

[tloubrieu-jpl]

This ticket need to be solved by: https://github.com/NASA-PDS/registry-api/issues/219 and/or https://github.com/NASA-PDS/registry-api/issues/218

[al-niessner]

@jordanpadams @tloubrieu-jpl

The CORS and CRSF are false positives. Yes, the API is open (not authenticated) but nothing is authenticated because everything is GET (stateless). They cannot adversely cause a PUT or change of database state or any other state as the vulnerability warns (unwanted state changes is the exploit of this vulnerability). Yes, in general, the error is valid but in this context there is not a possible exploit.

If and when we get to the point where you want person A to login to the registry-api to see just mars and jupiter while person B for just venus and mercury then these would exploitable in that A could use B to inadvertently send them venus data. Still, no changes within PDS. Not really seeing any exploits.

[jordanpadams]

copy @al-niessner . we plan on eventually implementing some authenticated-access-only capabilities, but I think we will need to address those possible vulnerabilities when the time comes

[jordanpadams]

doesn't look like there is anyway we can put on the sonatype Lift issues that these are false positives, so we will just have to use this ticket to track that.

we will wait for @tloubrieu-jpl to call this good or not when he gets back

[jordanpadams]

@tloubrieu-jpl can you review this?

[jordanpadams]

Closing this as done for now. Will revisit if these vulnerabilities pop back up