Menu

#901 Limit Web API submissions to a defined set of users

Approved
closed
Ahasuerus
None
5
2017-04-20
2016-06-13
Ahasuerus
No

Limit Web API submissions to a defined set of users. This should help prevent a malicious user from flooding the server with bogus submissions and or submitting malicious payload. Later on, we will also need to re-review the moderator approval logic to ensure that there are no SQL injection vulnerabilities left after the last round of fixes in late 2013-early 2014.

Discussion

  • Ahasuerus

    Ahasuerus - 2016-06-13
    • summary: Limit Web API submissions to a defined set if users --> Limit Web API submissions to a defined set of users
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1 +1 @@
-Limit Web API submissions to a defined set if users.
+Limit Web API submissions to a defined set of users. This should help prevent a malicious user from flooding the server with bogus submissions and or submitting malicious payload. We will also need to re-review the moderator approval logic to ensure that there are no SQL injection vulnerabilities left after the last round of fixes in late 2013-early 2014.
     

  • Ahasuerus

    Ahasuerus - 2016-06-13
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1 +1 @@
-Limit Web API submissions to a defined set of users. This should help prevent a malicious user from flooding the server with bogus submissions and or submitting malicious payload. We will also need to re-review the moderator approval logic to ensure that there are no SQL injection vulnerabilities left after the last round of fixes in late 2013-early 2014.
+Limit Web API submissions to a defined set of users. This should help prevent a malicious user from flooding the server with bogus submissions and or submitting malicious payload. Later on, we will also need to re-review the moderator approval logic to ensure that there are no SQL injection vulnerabilities left after the last round of fixes in late 2013-early 2014.
    • status: open --> closed
     

  • Ahasuerus

    Ahasuerus - 2016-06-13

    Implemented in rest/submission.py 1.10, installed in r2016-096 on 2016-06-13. Closing.

     

  • Uzume

    Uzume - 2017-04-20

    Instead of hard coding a fixed list, it seems like this would have been better attached to the MediaWiki bot flag (http://www.isfdb.org/wiki/index.php/Special:Listusers/bot) since we already use MW permissions for mod and bureaucrat. The bot flag could easily be added in common/SQLparsing.py in much the same way as SQLisUserModerator() just chaning "ug_group='sysop'" to "ug_group='bot'"

    Also the whole API LicenseKey thing is questionable considering we could just use the same cookie-based login/authentication process to validate API submissions (and then we would have access to such MW user groups).

     

Anonymous
Anonymous

Add attachments
Cancel





MongoDB Logo MongoDB