You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The job that updates the SPP (Steemplus Points) should only run every hour, as mentioned in the coding.
Only authorized persons should be able to start resource-intensive jobs on the steemplus api server. Such a functionality is never to be exposed via an api.
Actual behavior
Every user is able to call the mentioned api endpoint to start the job manually. A malicious user could use this to overload the steemplus api server, resulting in a DOS (Denial-of-Service) attack.
How to reproduce
It is easily possible to reproduce the bug by just calling the specific endpoint for the api: /job/update-steemplus-points
Solution
A solution could be to secure the api endpoint via a private key saved in the config. With this only authorized users can call the function.
Another solution would be to not expose this function to the api at all and only call it internally via a cronjob or similar.
I decided to go with solution number one and started a pull-request for it: Pull-Request
Recording Of The Bug
Before executing the job:
Executing the job:
After executing the job:
As we see my user-information was created and my points where updated without waiting for an hour.
The text was updated successfully, but these errors were encountered:
Expected behavior
The job that updates the SPP (Steemplus Points) should only run every hour, as mentioned in the coding.
Only authorized persons should be able to start resource-intensive jobs on the steemplus api server. Such a functionality is never to be exposed via an api.
Actual behavior
Every user is able to call the mentioned api endpoint to start the job manually. A malicious user could use this to overload the steemplus api server, resulting in a DOS (Denial-of-Service) attack.
How to reproduce
It is easily possible to reproduce the bug by just calling the specific endpoint for the api:
/job/update-steemplus-points
Solution
A solution could be to secure the api endpoint via a private key saved in the config. With this only authorized users can call the function.
Another solution would be to not expose this function to the api at all and only call it internally via a cronjob or similar.
I decided to go with solution number one and started a pull-request for it:
Pull-Request
Recording Of The Bug
Before executing the job:
Executing the job:
After executing the job:
As we see my user-information was created and my points where updated without waiting for an hour.
The text was updated successfully, but these errors were encountered: