First Last Prev Next    This bug is not in your last search results.
Bug 57058 - Expose UDM OpenAPI schema UI via UDM REST API server
Expose UDM OpenAPI schema UI via UDM REST API server
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-6-errata
Assigned To: Florian Best
Maximilian Janßen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-02-14 14:39 CET by Florian Best
Modified: 2024-02-21 13:08 CET (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2024-02-14 14:39:11 CET 
The UDM REST API OpenAPI Schema UI is currently exposed via Apache.
For containerized environments, having a additional HTTP container for these static files is currently not planned.
Therefore the UDM REST API server can expose this additionally.
Comment 1 Florian Best univentionstaff 2024-02-14 15:42:39 CET 
For containerized environments, the UDM REST API OpenAPI Schema user interface is now exposed via the UDM REST API server as well.

univention-directory-manager-rest.yaml
13e118e1a356 | feat(udm-rest): expose static files also via tornado

univention-directory-manager-rest (10.0.7-9)
13e118e1a356 | feat(udm-rest): expose static files also via tornado
    While this is a security risk, for Nubus developers we have a plain
    UDM REST API container without a gateway container for static files in front of it,
    serving the openapi UI.
Comment 2 Maximilian Janßen univentionstaff 2024-02-14 16:09:14 CET 
OK: Code review
OK: Portal and UMC functionality
OK: curl -i 'http://localhost:9979/udm/schema/index.html'
OK: Package update from older versions
OK: Advisory / Changelog entry
Comment 3 Daniel Tröder univentionstaff 2024-02-15 08:02:02 CET 
(In reply to Florian Best from comment #1)

>     While this is a security risk, for Nubus developers we have a plain
>     UDM REST API container without a gateway container for static files in
> front of it,
>     serving the openapi UI.

Please describe the security risk posed by serving static files by tornado without an HTTP proxy in front of it.
Comment 4 Florian Best univentionstaff 2024-02-15 18:25:32 CET 
(In reply to Daniel Tröder from comment #3)
> Please describe the security risk posed by serving static files by tornado
> without an HTTP proxy in front of it.

It's basically: Apache runs as www-data, while UDM-REST runs as root.
Security holes in Python, Tornado/Flask/FastAPI/etc or dependencies of it might be more likely than in Apache or Nginx.
For example, I think Apache disallows this URI, but tornado resolves it and serves the content, if it's underneath of the base document root:
http://localhost:9979/udm/schema/../css/style.css'
I tested that it disallows:
http://localhost:9979/udm/schema/../../../../../../etc/machine.secret'.
First Last Prev Next    This bug is not in your last search results.