Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security flaw in collectory api all fields are public #104

Open
1 task
sadeghim opened this issue Sep 4, 2017 · 3 comments
Open
1 task

Security flaw in collectory api all fields are public #104

sadeghim opened this issue Sep 4, 2017 · 3 comments

Comments

@sadeghim
Copy link
Member

sadeghim commented Sep 4, 2017

There is no authentication/security required for accessing the different fields in the dataresource info API such as : http://collections.ala.org.au/ws/dataResource/dr361

This makes critical information (specially connection properties visible to everyone).

  • add a check for apikey to output connectionParameters and gbifRegistryKey.
@djtfmartin
Copy link
Member

djtfmartin commented Sep 5, 2017

i think this is fine. The URLs to the underlying data should be blocked with an IP whitelist in Apache

@ansell
Copy link
Contributor

ansell commented Mar 5, 2019

There is no whitelist implemented in the current collectory server. Whitelists are fragile and are already overused in the ALA security model (both logger and auth rely completely on them).

The connectionParameters variable should only be shown to authenticated (apikey) users and access to the /upload/ directory should also be protected by apikey access.

Is the gbifRegistryKey also sensitive?

@nickdos
Copy link
Contributor

nickdos commented Jul 29, 2020

gbifRegistryKey is part of the public URL on GBIF site, so not sensitive.

E.g. dr341 has gbifRegistryKey: "0debafd0-6c8a-11de-8225-b8a03c50a862" and GBIF page is https://www.gbif.org/dataset/0debafd0-6c8a-11de-8225-b8a03c50a862 - note same key in URL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants