Attack source endpoint appears to let anyone look at attack source information regardless of org membership

cablelabs / ddos-info-sharing

The repository for the CRITS based DDoS Information Sharing platform

https://cablelabs.github.io/ddos-info-sharing/

5 stars 0 forks source link

Attack source endpoint appears to let anyone look at attack source information regardless of org membership #14

Closed Chadyshack closed 2 years ago

Chadyshack commented 2 years ago

https://api.dissarm.net/v1/attack-sources/{ip} does not check weather or not the requesting user owns the IP address, either disable this endpoint or add checking to make sure requester owns said IP address.

Chadyshack commented 2 years ago

This will likely only be for use by super admins, but we can also look at adding a user_owns_attack_source authentication function if we think it will be useful. The current role branch has it as super admin.