Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect telemetry properties route #15111

Merged
merged 6 commits into from Dec 13, 2022
Merged

Protect telemetry properties route #15111

merged 6 commits into from Dec 13, 2022

Conversation

christiancp100
Copy link
Member

What does it do?

Makes admin/telemetry-properties route private just for admin users and modifies the frontend so that it doesn't break because of this backend protection.

Why is it needed?

To avoid potential security gaps exposing sensitive data of the strapi instance.

How to test it?

Try to go to admin/telemetry-properties and check that it gives a 401 error if a valid Bearer token is not provided. Check also that in the admin interface, the admin/telemetry-properties route is not being called when the frontend doesn't have a valid token.

Related issue(s)/PR(s)

Needs to be merged before: #14900

@christiancp100 christiancp100 self-assigned this Dec 7, 2022
@christiancp100 christiancp100 added the source: core:admin Source is core/admin package label Dec 7, 2022
@codecov
Copy link

codecov bot commented Dec 7, 2022
edited

Codecov Report

Base: 59.87% // Head: 59.90% // Increases project coverage by +0.02% 🎉

Coverage data is based on head (ebe63ba) compared to base (938b758).
Patch coverage: 50.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15111      +/-   ##
==========================================
+ Coverage   59.87%   59.90%   +0.02%     
==========================================
  Files        1348     1348              
  Lines       32810    32812       +2     
  Branches     6260     6260              
==========================================
+ Hits        19646    19655       +9     
+ Misses      11308    11302       -6     
+ Partials     1856     1855       -1
Flag Coverage Δ
back 50.07% <ø> (ø)
front 64.36% <50.00%> (+0.03%) ⬆️
unit_back 50.07% <ø> (ø)
unit_front 64.36% <50.00%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
packages/core/admin/admin/src/pages/App/index.js 66.66% <50.00%> (-0.65%) ⬇️
...core/admin/admin/src/hooks/useFetchClient/index.js 100.00% <0.00%> (+66.66%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

gu-stav
gu-stav reviewed Dec 7, 2022
View reviewed changes
packages/core/admin/admin/src/pages/App/index.js Outdated
Comment on lines 86 to 95
if (uuid && currentToken) {
const {
data: { data: properties },
} = await axios.get(`${strapi.backendURL}/admin/telemetry-properties`);
} = await axios.get(`${strapi.backendURL}/admin/telemetry-properties`, {
headers: {
Authorization: `Bearer ${currentToken}`,
Accept: 'application/json',
'Content-Type': 'application/json',
},
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simotae14 Where are we with the new fetch hook? This would be a prime example to use it :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

He's on holiday but it's ready to merge, so maybe we should just merge it?

Copy link
Contributor

@gu-stav gu-stav Dec 7, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would be great - I'll do it. @christiancp100 Would be up to refactoring this part a bit using #14759?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, actually I did it with the useFetchClient hook in the first place a couple of weeks ago, but as it wasn't getting merged I re-implemented it without it.

Bassel17
Bassel17 previously approved these changes Dec 13, 2022
View reviewed changes
gu-stav
gu-stav approved these changes Dec 13, 2022
View reviewed changes
Copy link
Contributor

@gu-stav gu-stav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you 🌻

joshuaellis
joshuaellis approved these changes Dec 13, 2022
View reviewed changes
Copy link
Member

@joshuaellis joshuaellis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@christiancp100 christiancp100 added the pr: security This PR is security issue label Dec 13, 2022
@christiancp100 christiancp100 merged commit 314c183 into main Dec 13, 2022
@gu-stav gu-stav deleted the protect-telemetry-properties branch December 13, 2022 18:39
@gu-stav gu-stav added this to the 4.5.4 milestone Dec 14, 2022
@Xander-SquareKicker
Copy link

Xander-SquareKicker commented Jan 24, 2023
edited

Issue related to this fix encountered. Does not impact any visible functionality, however may not be a desired outcome.

nvm: 18.13.0
Strapi: 4.5.4
db: postgreSQL

Whenever loading up the admin interface, specifically in develop,
'GET /admin/telemetry-properties (1 ms) 401' is logged in the develop logs. I believe this is directly related to this fix.

The important piece of information is that the user is not yet logged in, which is causing the request to fail...as they have no auth token.

Steps to repeat:

  • Strapi version 4.5.4, and all plugins also
  • 'yarn install && yarn develop'
  • Visit 'localhost:1337/admin'
  • 401 error will appear in logs.

Let me know if this is a problem, or the intended outcome.

@bobbylipps
Copy link

Issue related to this fix encountered. Does not impact any visible functionality, however may not be a desired outcome.

nvm: 18.13.0 Strapi: 4.5.4 db: postgreSQL

Whenever loading up the admin interface, specifically in develop, 'GET /admin/telemetry-properties (1 ms) 401' is logged in the develop logs. I believe this is directly related to this fix.

The important piece of information is that the user is not yet logged in, which is causing the request to fail...as they have no auth token.

Steps to repeat:

  • Strapi version 4.5.4, and all plugins also
  • 'yarn install && yarn develop'
  • Visit 'localhost:1337/admin'
  • 401 error will appear in logs.

Let me know if this is a problem, or the intended outcome.

I fixed it by deleting the .cache, build & node_modules folders and running yarn install -> yarn develop

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gu-stav gu-stav gu-stav approved these changes

@joshuaellis joshuaellis joshuaellis approved these changes

@Bassel17 Bassel17 Bassel17 left review comments

@simotae14 simotae14 Awaiting requested review from simotae14

@Convly Convly Awaiting requested review from Convly

@innerdvations innerdvations Awaiting requested review from innerdvations

Assignees

@christiancp100 christiancp100

Labels
pr: security This PR is security issue source: core:admin Source is core/admin package
Projects
None yet
Milestone
4.5.4
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@christiancp100 @Xander-SquareKicker @bobbylipps @gu-stav @Bassel17 @joshuaellis