Skip to content

Commit 2b23b59

Browse files
committed
Fix broken access control vulnerability in settings API
- Modified app/api/settings_api.rb to require authentication for sensitive endpoints - Created a new public endpoint for non-sensitive settings - Added authentication requirement to privacy settings endpoint - Added SettingsApi to the authentication helpers list in app/api/api_root.rb - Prevents unauthorized access to system configuration
1 parent c1577c6 commit 2b23b59

File tree

2 files changed

+18
-0
lines changed

2 files changed

+18
-0
lines changed

app/api/api_root.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,7 @@ class ApiRoot < Grape::API
114114
AuthenticationHelpers.add_auth_to LearningAlignmentApi
115115
AuthenticationHelpers.add_auth_to ProjectsApi
116116
AuthenticationHelpers.add_auth_to StudentsApi
117+
AuthenticationHelpers.add_auth_to SettingsApi
117118
AuthenticationHelpers.add_auth_to Submission::PortfolioApi
118119
AuthenticationHelpers.add_auth_to Submission::PortfolioEvidenceApi
119120
AuthenticationHelpers.add_auth_to Submission::BatchTaskApi

app/api/settings_api.rb

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,15 @@
11
require 'grape'
22

33
class SettingsApi < Grape::API
4+
helpers AuthenticationHelpers
5+
helpers AuthorisationHelpers
46
#
57
# Returns the current auth method
68
#
79
desc 'Return configurable details for the Doubtfire front end'
810
get '/settings' do
11+
# Require authentication for the main settings endpoint
12+
authenticated?
913
response = {
1014
externalName: Doubtfire::Application.config.institution[:product_name],
1115
overseerEnabled: Doubtfire::Application.config.overseer_enabled,
@@ -16,6 +20,19 @@ class SettingsApi < Grape::API
1620
present response, with: Grape::Presenters::Presenter
1721
end
1822

23+
#
24+
# Public endpoint - safe to access without authentication
25+
#
26+
desc 'Return public application settings without authentication'
27+
get '/settings/public' do
28+
response = {
29+
externalName: Doubtfire::Application.config.institution[:product_name]
30+
# Include only non-sensitive settings here
31+
}
32+
33+
present response, with: Grape::Presenters::Presenter
34+
end
35+
1936
desc 'Return privacy policy details'
2037
get '/settings/privacy' do
2138
response = {

0 commit comments

Comments
 (0)