The call to /system/async-report needs to be decorated with basic auth credentials.
Current Behaviour
It is open which is why no changes were needed, but this is invalid because someone could discover the gateway and post false statistics to this endpoint.
Possible Solution
Update docker-compose/helm/yaml to add the basic auth username/password to this component
Update the HTTP call to /system/async-reportto pass those secrets
Steps to Reproduce (for bugs)
Deploy OpenFaaS with auth
Post to gateway:port/system/async-report
Context
Found whilst doing a deeper code review on the faas/server entrypoint
viveksyngh
commented
6 years ago
Expected Behaviour
The call to
/system/async-reportneeds to be decorated with basic auth credentials.Current Behaviour
It is open which is why no changes were needed, but this is invalid because someone could discover the gateway and post false statistics to this endpoint.
Possible Solution
/system/async-reportto pass those secretsSteps to Reproduce (for bugs)
gateway:port/system/async-reportContext
Found whilst doing a deeper code review on the faas/server entrypoint