Open Closed

Application Configuration API Endpoint #5961


User avatar
0
SamirBoutazzout created

Hello everyone,

I would like to inquire whether it is possible to secure the following endpoint: api/abp/application-configuration We are preparing to pass on production and the security audit run on the application raised the issue of this endpoint being non-secure and can be accessed by anyone, especially that it contains app and user information. I tried looking in the solution for this endpoint but I couldn't find it. Is there a way to secure it with the Authorize attribute or at least remove it if that's not going to affect the api?

  • ABP Framework version: v6.0.2
  • UI Type: Angular
  • Database System: EF Core (PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separated

5 Answer(s)
  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    Hello SamirBoutazzout ,

    can you please check this https://github.com/abpframework/abp/issues/3758

    https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationController.cs#L9

    https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs#L28

    it is used to determine the application language, settings etc which is not related to user unless they login when a user is not logged in it doesn't give user related information.

    Can you share a screenshot of the http response where it shows user information without login?

    please do let me know if it helps you

    Thank you, Anjali

  • User Avatar
    0
    SamirBoutazzout created

    Hello Anjali, Thank you very much indeed for your help. Unfortunately the suggestions provided in the github issue link didn't solve my problem. Is it possible to download the source code for the ApplicationConfiguration in my solution or override it somewhere? Just adding the Authorize attribute will solve it for me but i'm not sure if that's going to introduce any bugs or breaking changes to the system.

    Off-topic, we found a high risk XSS vulnerability on Angular project, specifically in the Language Management section when editing Language Texts. Where I can report it?

  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    Hi

    yes you can override the controller see examples of how you can do it here

    https://docs.abp.io/en/abp/latest/Customizing-Application-Modules-Overriding-Services

    https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationController.cs#L9

    you can override this controller and add the authorize attribute to the controller class.

    but i think it will create bugs as it needs the application configurations like languages and other information from backend.

    you can modify the code inside

    overriding this service

    https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs#L28

  • User Avatar
    0
    SamirBoutazzout created

    Hi

    yes you can override the controller
    see examples of how you can do it here

    https://docs.abp.io/en/abp/latest/Customizing-Application-Modules-Overriding-Services

    https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationController.cs#L9

    you can override this controller and add the authorize attribute to the controller class.

    but i think it will create bugs as it needs the application configurations like languages and other information from backend.

    you can modify the code inside

    overriding this service

    https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs#L28

    Thank you very much. This worked but as you mentioned it broke the app unfortunately. The endpoint is not supposed to be authorized.

  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    Hello SamirBoutazzout,

    I am closing the ticket as your query get resolved?

    Thanks, Anjali

Made with ❤️ on ABP v9.1.0-preview. Updated on December 12, 2024, 07:15