Unsecured Dev Endpoints #923
Labels
Comments
|
Sorry, I don't read the mails often enough.
…On Fri, 15 Mar 2024, 14:20 jkhsjdhjs, ***@***.***> wrote:
Some development endpoints don't require ROLE_ADMIN and may be accessed
by anyone:
- /dev/crash may be used to crash any publicly accessible nzbhydra2
instance,
- /dev/testAddToSonarr is probably less problematic, but it still
shouldn't be accessible without login.
https://github.com/theotherp/nzbhydra2/blob/master/core/src/main/java/org/nzbhydra/DevEndpoint.java
I wrote a mail regarding this issue at first, as it has some abuse
potential. However, I didn't receive a reply in 2 weeks, which is why I'm
creating this issue now.
—
Reply to this email directly, view it on GitHub
<#923>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADNUA6PPSJDCYEO2SPDTRYTYYLYR3AVCNFSM6AAAAABEX72KHWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGE4DQNJQGE4DCOI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Thanks for the report, I've added required admin access and additionally made the crash endpoint require a certain system property to be set. |
theotherp
added a commit
that referenced
this issue
Mar 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some development endpoints don't require
ROLE_ADMINand may be accessed by anyone:/dev/crashmay be used to crash any publicly accessible nzbhydra2 instance,/dev/testAddToSonarris probably less problematic, but it still shouldn't be accessible without login.https://github.com/theotherp/nzbhydra2/blob/master/core/src/main/java/org/nzbhydra/DevEndpoint.java
I wrote a mail regarding this issue at first, as it has some abuse potential. However, I didn't receive a reply in 2 weeks, which is why I'm creating this issue now.
The text was updated successfully, but these errors were encountered: