search

zalando-stups / yourturn

The frontend/developer console for the STUPS infrastructure
http://docs.stups.io/en/latest/components/yourturn.html
Apache License 2.0
8 stars 6 forks source link

Added Allowed list endpoint #584

Closed yousifalraheem closed 2 years ago

yousifalraheem commented 2 years ago

Related issue

pitchfork/issues#567

Description

A file is generated every time YourTurn docker pod runs that holds mostly links. However, it also includes a list of whitelisted users which is a vulnerability according to this Collibra report.

This PR creates an endpoint that provides the list of whitelisted users behind oauth so it can be concealed from the public. This PR doesn't not have an implementation of the endpoint being used because the solution should be tested beforehand since it pulls this information from node's process.env which is supposedly being injected in the pipeline.

Once this PR is merged and tested, I will follow up with another PR to remove the whitelist from the env.js and rely on the endpoint.

yousifalraheem commented 2 years ago

Closing this PR in favor of another solution to be submitted soon