Hello everyone,
I would like to inquire whether it is possible to secure the following endpoint: api/abp/application-configuration We are preparing to pass on production and the security audit run on the application raised the issue of this endpoint being non-secure and can be accessed by anyone, especially that it contains app and user information. I tried looking in the solution for this endpoint but I couldn't find it. Is there a way to secure it with the Authorize attribute or at least remove it if that's not going to affect the api?
- ABP Framework version: v6.0.2
- UI Type: Angular
- Database System: EF Core (PostgreSQL)
- Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separated
5 Answer(s)
-
0
Hello SamirBoutazzout ,
can you please check this https://github.com/abpframework/abp/issues/3758
https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationController.cs#L9
https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs#L28
it is used to determine the application language, settings etc which is not related to user unless they login when a user is not logged in it doesn't give user related information.
Can you share a screenshot of the http response where it shows user information without login?
please do let me know if it helps you
Thank you, Anjali
-
0
Hello Anjali, Thank you very much indeed for your help. Unfortunately the suggestions provided in the github issue link didn't solve my problem. Is it possible to download the source code for the ApplicationConfiguration in my solution or override it somewhere? Just adding the Authorize attribute will solve it for me but i'm not sure if that's going to introduce any bugs or breaking changes to the system.
Off-topic, we found a high risk XSS vulnerability on Angular project, specifically in the Language Management section when editing Language Texts. Where I can report it?
-
0
Hi
yes you can override the controller see examples of how you can do it here
https://docs.abp.io/en/abp/latest/Customizing-Application-Modules-Overriding-Services
https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationController.cs#L9
you can override this controller and add the authorize attribute to the controller class.
but i think it will create bugs as it needs the application configurations like languages and other information from backend.
you can modify the code inside
overriding this service
https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs#L28
-
0
Hi
yes you can override the controller
see examples of how you can do it herehttps://docs.abp.io/en/abp/latest/Customizing-Application-Modules-Overriding-Services
https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationController.cs#L9
you can override this controller and add the authorize attribute to the controller class.
but i think it will create bugs as it needs the application configurations like languages and other information from backend.
you can modify the code inside
overriding this service
https://github.com/abpframework/abp/blob/99806b7621fdc10cf2c6e6f4d994612656bda870/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs#L28
Thank you very much. This worked but as you mentioned it broke the app unfortunately. The endpoint is not supposed to be authorized.
-
0
Hello SamirBoutazzout,
I am closing the ticket as your query get resolved?
Thanks, Anjali
