Skip to content

Harden access control on a backend endpoint #182

Description

@dobby-coder

Access-control hardening is needed on one of the backend HTTP endpoints. Details, reproduction, and the suggested fix are in the private draft security advisory (maintainer-only):

https://github.com/encryption4all/cryptify/security/advisories/GHSA-5rhx-xgvv-h78h

Scope: enforce authentication/ownership on the affected endpoint so it can no longer be queried anonymously for arbitrary inputs. A small secondary hardening item (constant-time token comparison) is noted in the advisory. Please keep specifics in the advisory thread, not in this public issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issue (vulnerability, hardening, or risk)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions