Univention Bugzilla – Bug 57058
Expose UDM OpenAPI schema UI via UDM REST API server
Last modified: 2024-02-21 13:08:09 CET
The UDM REST API OpenAPI Schema UI is currently exposed via Apache. For containerized environments, having a additional HTTP container for these static files is currently not planned. Therefore the UDM REST API server can expose this additionally.
For containerized environments, the UDM REST API OpenAPI Schema user interface is now exposed via the UDM REST API server as well. univention-directory-manager-rest.yaml 13e118e1a356 | feat(udm-rest): expose static files also via tornado univention-directory-manager-rest (10.0.7-9) 13e118e1a356 | feat(udm-rest): expose static files also via tornado While this is a security risk, for Nubus developers we have a plain UDM REST API container without a gateway container for static files in front of it, serving the openapi UI.
OK: Code review OK: Portal and UMC functionality OK: curl -i 'http://localhost:9979/udm/schema/index.html' OK: Package update from older versions OK: Advisory / Changelog entry
(In reply to Florian Best from comment #1) > While this is a security risk, for Nubus developers we have a plain > UDM REST API container without a gateway container for static files in > front of it, > serving the openapi UI. Please describe the security risk posed by serving static files by tornado without an HTTP proxy in front of it.
(In reply to Daniel Tröder from comment #3) > Please describe the security risk posed by serving static files by tornado > without an HTTP proxy in front of it. It's basically: Apache runs as www-data, while UDM-REST runs as root. Security holes in Python, Tornado/Flask/FastAPI/etc or dependencies of it might be more likely than in Apache or Nginx. For example, I think Apache disallows this URI, but tornado resolves it and serves the content, if it's underneath of the base document root: http://localhost:9979/udm/schema/../css/style.css' I tested that it disallows: http://localhost:9979/udm/schema/../../../../../../etc/machine.secret'.
<https://errata.software-univention.de/#/?erratum=5.0x961>