Security audit of JsonSchemasAPI.java and RamlsAPI.java
Description
Environment
None
Potential Workaround
None
blocks
Checklist
hideTestRail: Results
Activity
Show:
Details
Details
Assignee
Unassigned
UnassignedReporter
Julian LadischLabels
Priority
P2Sprint
Development Team
Core: Platform
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created May 13, 2020 at 10:14 AM
Updated May 13, 2020 at 10:15 AM
TestRail: Cases
TestRail: Runs
RMB-616 decided that
/_/jsonSchemas = JsonSchemasAPI.java
/_/ramls = RamlsAPI.java
should use {{"permissionsRequired": [ ]}} to allow anyone from the internet to call these APIs, no login is needed.
Tasks:
Add a note to the class javadoc mentioning that they are exposed to the internet without login and therefore each pull request that changes the code requires a rigid code review including a security audit for approval.
Conduct a security audit of these files to ensure that they are safe.
The security audit should include review of the regular expressions. Can they be avoided? Is there a regular expression denial of service? https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS