Unsecured Dev Endpoints
jkhsjdhjs opened this issue · 2 comments
jkhsjdhjs commented
Some development endpoints don't require ROLE_ADMIN
and may be accessed by anyone:
/dev/crash
may be used to crash any publicly accessible nzbhydra2 instance,/dev/testAddToSonarr
is probably less problematic, but it still shouldn't be accessible without login.
https://github.com/theotherp/nzbhydra2/blob/master/core/src/main/java/org/nzbhydra/DevEndpoint.java
I wrote a mail regarding this issue at first, as it has some abuse potential. However, I didn't receive a reply in 2 weeks, which is why I'm creating this issue now.
theotherp commented
Sorry, I don't read the mails often enough.
…On Fri, 15 Mar 2024, 14:20 jkhsjdhjs, ***@***.***> wrote:
Some development endpoints don't require ROLE_ADMIN and may be accessed
by anyone:
- /dev/crash may be used to crash any publicly accessible nzbhydra2
instance,
- /dev/testAddToSonarr is probably less problematic, but it still
shouldn't be accessible without login.
https://github.com/theotherp/nzbhydra2/blob/master/core/src/main/java/org/nzbhydra/DevEndpoint.java
I wrote a mail regarding this issue at first, as it has some abuse
potential. However, I didn't receive a reply in 2 weeks, which is why I'm
creating this issue now.
—
Reply to this email directly, view it on GitHub
<#923>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADNUA6PPSJDCYEO2SPDTRYTYYLYR3AVCNFSM6AAAAABEX72KHWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGE4DQNJQGE4DCOI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
theotherp commented
Thanks for the report, I've added required admin access and additionally made the crash endpoint require a certain system property to be set.