You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Anybody in my team can easily expose sensitive data by sharing the URL with API requests to query results. Users can click on this URL and receive query results without any authorization. Moreover, it is not possible to revoke access to query results shared in such a way. It's not even possible to identify which queries were shared in such a way. So, once the URL has been shared, you can't do anything apart from delete of query and clean up the query result.
Please note that when we are sharing the dashboard, there is a clear message that it will be publicly available. It may be worth adding something similar for query results to emphasize that query results will also be publicly available.
Steps to Reproduce
Go to Queiries->New Query
Write any query and click on the show API key
Copy the example API call and try to open it in another browser in InPrivate mode
Expected result:
There should be an additional layer of security that can eliminate exposing URLs to query results with sensitive data:
API user should receive a token using his credentials to Redash
then, via this token API user can get access to the query results
Or at least there should be a way how to track such shared query results and revoke access to them.
Technical details:
Redash Version: v10.1.0
Browser/OS: Chrome/Windows
How did you install Redash: via docker image
The text was updated successfully, but these errors were encountered:
That seems like expected behavior. Using one of those query URLs is a pretty common pattern of making a page available to anyone who has the unique URL, but yet is sufficiently complex that no one can guess it.
If you want to provide access to queries without passing a token in the URL, you should use user tokens which are passed as a header when making API calls to queries.
@iholoviy I'm just another user, but I can at least let you know that the database stores query executions in the query_result table and the API key for the query is in query.api_key, which you could probably manually cycle (I have not tried this).
The UI lets you cycle tokens for users and I agree having that functionality for the query makes sense too.
Issue Summary
Anybody in my team can easily expose sensitive data by sharing the URL with API requests to query results. Users can click on this URL and receive query results without any authorization. Moreover, it is not possible to revoke access to query results shared in such a way. It's not even possible to identify which queries were shared in such a way. So, once the URL has been shared, you can't do anything apart from delete of query and clean up the query result.
Please note that when we are sharing the dashboard, there is a clear message that it will be publicly available. It may be worth adding something similar for query results to emphasize that query results will also be publicly available.
Steps to Reproduce
Expected result:
There should be an additional layer of security that can eliminate exposing URLs to query results with sensitive data:
Or at least there should be a way how to track such shared query results and revoke access to them.
Technical details:
The text was updated successfully, but these errors were encountered: