serratus-bio / open-virome

monorepo for data explorer UI and APIs
http://openvirome.com/
GNU Affero General Public License v3.0
0 stars 0 forks source link

Switch logan_AWS_RDS_proxy to Read-only user #63

Closed lukepereira closed 3 months ago

lukepereira commented 3 months ago

Currently the lambda is using the write user and is parsing select statements from the POST body.

Looking at the code, it seems possible to run arbitrary write commands. Instead of trying to sanitize all possible edge cases, it seems easiest/best to switch to a read-only user for the lambda and allow read access to all tables

curl -v 'https://omdmrhz5lb2nrbmodjtm5fxhqq0uevzh.lambda-url.us-east-1.on.aws' \
-H 'content-type: application/json' \
-H 'Authorization: Bearer 20240516' \
-d '{ "SELECT": "* from palm_virome limit 10; CREATE TABLE Test ( objID int )" }'
moralestapia commented 3 months ago

Yes, that read_only user has yet to be created. I'll take care of that and add it to the docs.

almosnow commented 3 months ago

Done, credentials at https://github.com/serratus-bio/logan-backend/blob/master/table/README.md.