Fix DoS vulnerability in SplitConfigs controller

There was a bug in the authentication code that would allow an unauthenticated attacker to mark a running split as complete, breaking clients in the field that depended on the split.

This vulnerability has been assigned CVE identifier CVE-2017-1000068.

Affected versions:

All versions of TestTrack less than 1.0.1

Impact:

AuthenticatedApiController, the base class of all authenticated endpoints, was making incorrect use of authenticate_with_http_basic. authenticate_with_http_basic does not evaluate the provided block if there is no basic auth header in the request, allowing request processing to proceed if no creds at all were provided.

The impact was mitigated by the fact that most authenticated endpoints require current_app in order to fulfill their functions. The exception was the SplitConfigsController, which would deactivate any split provided by an unauthenticated client.

The fix was two-fold:

• Disallow finishing splits not owned by current_app
• use authenticate_or_request_with_http_basic, which will halt the filter chain and return 401 if no HTTP basic auth credentials are provided.

Releases:

The fixed version - v1.0.1 - is available via github.

Credits:

Thanks to @agirlnamedsophia for identifying the underlying authentication vulnerability.