search

USACE / cwms-data-api

Corps Water Management System RESTful Data Service
MIT License
11 stars 14 forks source link

Some New Endpoints Return Sensitive Data - Should Require Auth #871

Open krowvin opened 1 week ago

krowvin commented 1 week ago

The following are endpoints that I tested and that, for some reason or another (REGI?), have IP address/User Information/Hostnames in them.

Would the best method be to force authentication of these GET requests?

Project Lock Rights Endpoint

Command

curl -X 'GET' \  'https://T7HOST:TCPORT/swt-data/project-lock-rights?office-mask=SWT' \  -H 'accept: application/json'

Result

Having a user in REGI create a lock, then running that to see the output gives this

[
  {
    "office-id": "SWT",
    "project-id": "ALTU",
    "application-id": "regi;daily ops",
    "acquire-time": 1725640446000,
    "session-user": "<USERNAME REDACTED>",
    "os-user": "<USERNAME REDACTED>",
    "session-program": "JDBC Thin Client",
    "session-machine": "<SYSTEM HOSTNAME REDACTED>"
  }
]

Project Lock Revoker Rights Endpoint

Command

curl -X 'GET' \
  'https://T7HOST:TCPORT/swt-data/project-lock-rights?office-mask=SWT' \
  -H 'accept: application/json'

Result

  [
  {
    "office-id": "SWT",
    "project-id": "BIGH",
    "application-id": "regi",
    "user-id": "<REDACTED USERID 1>"
  },
  {
    "office-id": "SWT",
    "project-id": "WAUR",
    "application-id": "regi",
    "user-id": "<REDACTED USERID 2>"
  },
  ...
  ]
rma-rripken commented 1 week ago

https://github.com/USACE/cwms-data-api/pull/872

Its possible there is still a place or two. I'm checking

rma-rripken commented 1 week ago

oh, right. the IT will need the auth added too

rma-psmorris commented 1 week ago

Auth added by Ryan to this endpoint. Other concerns as follows: Future addition of the MQ pieces might have sensitive data. Get endpoints to properties, CLOB, and BLOB could have auth added given their usage to store application level data. @MikeNeilson do you have thoughts here?

MikeNeilson commented 1 week ago

MQ would be authorized only; unless a compelling argument is made otherwise. But even then the scope of data would be limited.

CLOB/BLOB. fair point. Will require further consideration.

MikeNeilson commented 1 week ago

Though it dawns on me that properties, and probably water supply, and honestly most of the "REGI" derived endpoints should be authorized even for read. Charles also found some hostnames in the properties that we assume were stored by REGI, but it also makes sense that that particular properties endpoint isn't for public consumption.