Sfoglia il codice sorgente

security: Possible to kill actions without authentication & credential leak in logs

jamesread 7 mesi fa
parent
commit
853972384c
2 ha cambiato i file con 2 aggiunte e 1 eliminazioni
  1. 1 0
      service/internal/api/api.go
  2. 1 1
      service/internal/auth/authcheck.go

+ 1 - 0
service/internal/api/api.go

@@ -90,6 +90,7 @@ func (api *oliveTinAPI) killActionByTrackingId(user *authpublic.AuthenticatedUse
 	if !acl.IsAllowedKill(api.cfg, user, action) {
 		log.Warnf("Killing execution request not possible - user not allowed to kill this action: %v", execReqLogEntry.ExecutionTrackingID)
 		ret.Killed = false
+		return
 	}
 
 	err := api.executor.Kill(execReqLogEntry)

+ 1 - 1
service/internal/auth/authcheck.go

@@ -45,7 +45,7 @@ func runAuthChain[T any](req *connect.Request[T], cfg *config.Config) *types.Aut
 func UserFromApiCall[T any](ctx context.Context, req *connect.Request[T], cfg *config.Config) *types.AuthenticatedUser {
 	user := runAuthChain(req, cfg)
 
-	log.Infof("Context: %+v", ctx)
+	log.Tracef("UserFromApiCall Context: %+v", ctx)
 
 	if user == nil || user.Username == "" {
 		user = UserGuest(cfg)