theotherp/nzbhydra2

Unsecured Dev Endpoints

jkhsjdhjs opened this issue · 2 comments

Some development endpoints don't require ROLE_ADMIN and may be accessed by anyone:

  • /dev/crash may be used to crash any publicly accessible nzbhydra2 instance,
  • /dev/testAddToSonarr is probably less problematic, but it still shouldn't be accessible without login.

https://github.com/theotherp/nzbhydra2/blob/master/core/src/main/java/org/nzbhydra/DevEndpoint.java

I wrote a mail regarding this issue at first, as it has some abuse potential. However, I didn't receive a reply in 2 weeks, which is why I'm creating this issue now.

Thanks for the report, I've added required admin access and additionally made the crash endpoint require a certain system property to be set.