asf-tooling opened a new issue, #1056:
URL: https://github.com/apache/tooling-trusted-releases/issues/1056
**ASVS Level(s):** L2-only
**Description:**
### Summary
The Swagger UI (`/api/docs`) and OpenAPI specification (`/api/openapi.json`)
are publicly accessible without authentication. While the custom
`ApiOnlyOpenAPIProvider` filters admin routes from the specification, the
complete API surface for public endpoints is exposed. The `@quart_schema.hide`
decorator only hides routes from the OpenAPI spec itself but does NOT restrict
access to the endpoints. This exposes complete API surface enumeration, JWT vs
unprotected endpoint mapping, request/response data models, parameter types and
validation rules, and internal naming conventions.
### Details
The issue exists in `atr/server.py`, `atr/blueprints/api.py`, and
`atr/templates/about.html` line 51. Blueprint-level protection only applies
rate limiting with no authentication check.
### Recommended Remediation
**If NOT intended to be public:** Add authentication check to both
`/api/docs` and `/api/openapi.json` endpoints:
```python
@app.before_request
async def protect_api_docs():
if quart.request.path in ('/api/docs', '/api/openapi.json'):
session = await asfquart.session.read()
if not session:
return quart.abort(404) # Hide existence from unauthenticated
users
```
**If intentionally public:**
- Document this decision in configuration or security documentation
- Consider serving a minimal public version and full version behind auth
- Ensure the OpenAPI spec doesn't leak internal implementation details
### Acceptance Criteria
- [ ] Authentication added to /api/docs endpoint
- [ ] Authentication added to /api/openapi.json endpoint
- [ ] Unit tests verify unauthenticated access is rejected
- [ ] Unit tests verify authenticated access works
- [ ] OR: Decision to keep public documented with rationale
- [ ] OR: Minimal public spec created with full spec behind auth
- [ ] Documentation updated with API documentation access policy
### References
- Source reports: L2:13.4.5.md
- Related findings: None
- ASVS sections: 13.4.5
### Priority
Medium
---
---
**Triage notes:** duplicate of 182
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
