Open k8hughes opened 5 years ago
@k8hughes shouldn't be looking too bad anymore :)
Is it secure? I know we needed to check that the API didn;t open up the DDW to any vunerabilities...
@akmiller01
Is it secure? I know we needed to check that the API didn;t open up the DDW to any vunerabilities...
With my knowledge of SQL and how it's programmed, I've tried my best to pen-test it, and it's not vulnerable to the common attacks. But testing it myself is a little like proofreading your own writing. Would you or Naphlin be able to take a stab at it?
On Thu, Jan 24, 2019, 4:29 AM Edwin P. Magezi <notifications@github.com wrote:
@akmiller01 https://github.com/akmiller01
Is it secure? I know we needed to check that the API didn;t open up the DDW to any vunerabilities...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devinit/datahub/issues/489#issuecomment-457127791, or mute the thread https://github.com/notifications/unsubscribe-auth/ACtJaB8-1FsNTMS4DNKnG1wUOlw7fXB4ks5vGX0OgaJpZM4aFjZb .
Oh, but it's built on a read only user. So the worst vulnerability possible would be accessing data they're not supposed to (which should be explicitly blacklisted).
@akmiller01 one last bit on validation... it seems to allow any type of format one specifies. Of course the resulting file is broken, but still, I think it should accept only the allowed formats. http://212.111.41.68:8000/single_table?indicator=population_total&entities=KE,UG&start_year=2000&format=jpg
Since we're not using any authentication/secrets that may require encryption, I don't think the API not being deployed via HTTPS is a big issue... right?
Yep, that makes sense to validate the file format and maybe make a new error code for unknown formats.
And I would agree with you on SSL. It's a "nice-to-have" for all web traffic, but really only necessary when the user is sending sensitive info. The connection between the server and PSQL should already be over SSL (I believe).
On Fri, Jan 25, 2019, 2:43 AM Edwin P. Magezi <notifications@github.com wrote:
@akmiller01 https://github.com/akmiller01 one last bit on validation... it seems to allow any type of format one specifies. Of course the resulting file is broken, but still, I think it should accept only the allowed formats.
Since we're not using any authentication/secrets that may require encryption, I don't think the API not being deployed via HTTPS is a big issue... right?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devinit/datahub/issues/489#issuecomment-457484255, or mute the thread https://github.com/notifications/unsubscribe-auth/ACtJaBAWzIWZf_Snqe4RP5rExyFJDl9Rks5vGrWzgaJpZM4aFjZb .
I've moved this into done, but I don't know if there is a new issue that we want to docuent to remind ourselves of the SSL issue? @edwinmp @akmiller01
It needs to be renamed to be called "Development Data Hub API" instead of DDW.
I know API pages don't need to be super designed or pretty but should we have a logo or be using DI fonts? (not sure what is the norm for API pages?)
Have we checked the API is secure and there is no risk of comprising the DDW?