Hi, It looks like there are two security issues in the APIs exposed by the DAS metering and monitoring dashboards [1], [2]:
- APIs have no authentication mechanism - Table name is concatenated in the SQL queries We may need to add an authentication check similar to analytics.jag [3]: var authParam = request.getHeader(AUTHORIZATION_HEADER); if (authParam != null) { credentials = JSUtils.authenticate(authParam); authenticationAdminStub = new AuthenticationAdminStub(authenticationWSUrl); authenticationAdminStub.login(credentials[0], credentials[1], LOCALHOST); var serviceContext = authenticationAdminStub._getServiceClient().getLastOperationContext() .getServiceContext(); var sessionCookie = serviceContext.getProperty(HTTPConstants.COOKIE_STRING); options.setProperty(HTTPConstants.COOKIE_STRING, sessionCookie); } else { var token = session.get(AUTH_TOKEN); if (token != null) { options.setProperty(HTTPConstants.COOKIE_STRING, token); } else { log.error("user is not authenticated!"); response.status = HTTP_USER_NOT_AUTHENTICATED; print('{ "status": "Failed", "message": "User is not authenticated." }'); return; } } In addition we may need to avoid concatenating table names in SQL queries. [1] https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files [2] https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/monitoring-dashboard/jaggery-files [3] https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/controllers/apis/analytics.jag#L88 I think we may need to cancel this vote and do RC2 by fixing these problems. Thanks On Tue, Oct 20, 2015 at 5:02 PM, Akila Ravihansa Perera <raviha...@wso2.com> wrote: > Hi, > > This is the first release candidate of WSO2 Private PaaS 4.1.0. > > This release fixes the following issues: > https://wso2.org/jira/issues/?filter=12464 > > Please download, test and vote. The vote will be open for 72 hours or as > needed. > > *​Source and binary distribution files:* > https://svn.wso2.org/repos/wso2/scratch/PPAAS/wso2ppaas-4.1.0-rc1 > > *Maven staging repository:* > http://maven.wso2.org/nexus/content/repositories/orgwso2ppaas-027/ > > *The tag to be voted upon:* > https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1 > > > [ ] Broken - do not release (explain why) > [ ] Stable - go ahead and release > > > Thanks, > The WSO2 Private PaaS Team > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Imesh Gunaratne* Senior Technical Lead WSO2 Inc: http://wso2.com T: +94 11 214 5345 M: +94 77 374 2057 W: http://imesh.gunaratne.org Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev