Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1

Imesh Gunaratne Tue, 20 Oct 2015 08:09:49 -0700

Hi,

It looks like there are two security issues in the APIs exposed by the DAS
metering and monitoring dashboards [1], [2]:


   - APIs have no authentication mechanism
   - Table name is concatenated in the SQL queries

We may need to add an authentication check similar to analytics.jag [3]:

var authParam = request.getHeader(AUTHORIZATION_HEADER);
    if (authParam != null) {
        credentials = JSUtils.authenticate(authParam);
        authenticationAdminStub = new
AuthenticationAdminStub(authenticationWSUrl);
        authenticationAdminStub.login(credentials[0], credentials[1],
LOCALHOST);
        var serviceContext =
authenticationAdminStub._getServiceClient().getLastOperationContext()
                .getServiceContext();
        var sessionCookie =
serviceContext.getProperty(HTTPConstants.COOKIE_STRING);
        options.setProperty(HTTPConstants.COOKIE_STRING, sessionCookie);
    } else {
        var token = session.get(AUTH_TOKEN);
        if (token != null) {
            options.setProperty(HTTPConstants.COOKIE_STRING, token);
        } else {
            log.error("user is not authenticated!");
            response.status = HTTP_USER_NOT_AUTHENTICATED;
            print('{ "status": "Failed", "message": "User is not
authenticated." }');
            return;
        }
    }

In addition we may need to avoid concatenating table names in SQL queries.

[1]
https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files
[2]
https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/monitoring-dashboard/jaggery-files
[3]
https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/controllers/apis/analytics.jag#L88

I think we may need to cancel this vote and do RC2 by fixing these problems.

Thanks

On Tue, Oct 20, 2015 at 5:02 PM, Akila Ravihansa Perera <[email protected]>
wrote:

> Hi,
>
> This is the first release candidate of WSO2 Private PaaS 4.1.0.
>
> This release fixes the following issues:
> https://wso2.org/jira/issues/?filter=12464
>
> Please download, test and vote. The vote will be open for 72 hours or as
> needed.
>
> *Source and binary distribution files:*
> https://svn.wso2.org/repos/wso2/scratch/PPAAS/wso2ppaas-4.1.0-rc1
>
> *Maven staging repository:*
> http://maven.wso2.org/nexus/content/repositories/orgwso2ppaas-027/
>
> *The tag to be voted upon:*
> https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1
>
>
> [ ] Broken - do not release (explain why)
> [ ] Stable - go ahead and release
>
>
> Thanks,
> The WSO2 Private PaaS Team
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
*Imesh Gunaratne*
Senior Technical Lead
WSO2 Inc: http://wso2.com
T: +94 11 214 5345 M: +94 77 374 2057
W: http://imesh.gunaratne.org
Lean . Enterprise . Middleware

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1

Reply via email to