discourse/app/controllers/admin/api_controller.rb
Alan Guo Xiang Tan 439cc5b023
SECURITY: Impose a upper bound on limit params in various controllers
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
2023-07-28 12:56:35 +01:00

154 lines
4.2 KiB
Ruby

# frozen_string_literal: true
class Admin::ApiController < Admin::AdminController
# Note: in the REST API, ApiKeys are referred to simply as "key"
# If we used "api_key", then our user provider would try to use the value for authentication
INDEX_LIMIT = 50
def index
offset = (params[:offset] || 0).to_i
limit = fetch_limit_from_params(default: INDEX_LIMIT, max: INDEX_LIMIT)
keys =
ApiKey
.where(hidden: false)
.includes(:user, :api_key_scopes)
# Sort revoked keys by revoked_at and active keys by created_at
.order("revoked_at DESC NULLS FIRST, created_at DESC")
.offset(offset)
.limit(limit)
render_json_dump(keys: serialize_data(keys, ApiKeySerializer), offset: offset, limit: limit)
end
def show
api_key = ApiKey.includes(:api_key_scopes).find_by!(id: params[:id])
render_serialized(api_key, ApiKeySerializer, root: "key")
end
def scopes
scopes =
ApiKeyScope
.scope_mappings
.reduce({}) do |memo, (resource, actions)|
memo.tap do |m|
m[resource] = actions.map do |k, v|
{
scope_id: "#{resource}:#{k}",
key: k,
name: k.to_s.gsub("_", " "),
params: v[:params],
urls: v[:urls],
}
end
end
end
render json: { scopes: scopes }
end
def update
api_key = ApiKey.find_by!(id: params[:id])
ApiKey.transaction do
api_key.update!(update_params)
log_api_key(api_key, UserHistory.actions[:api_key_update], changes: api_key.saved_changes)
end
render_serialized(api_key, ApiKeySerializer, root: "key")
end
def destroy
api_key = ApiKey.find_by!(id: params[:id])
ApiKey.transaction do
api_key.destroy
log_api_key(api_key, UserHistory.actions[:api_key_destroy])
end
render json: success_json
end
def create
api_key = ApiKey.new(update_params)
ApiKey.transaction do
api_key.created_by = current_user
api_key.api_key_scopes = build_scopes
if username = params.require(:key).permit(:username)[:username].presence
api_key.user = User.find_by_username(username)
raise Discourse::NotFound unless api_key.user
end
api_key.save!
log_api_key(api_key, UserHistory.actions[:api_key_create], changes: api_key.saved_changes)
end
render_serialized(api_key, ApiKeySerializer, root: "key")
end
def undo_revoke_key
api_key = ApiKey.find_by(id: params[:id])
raise Discourse::NotFound if api_key.blank?
ApiKey.transaction do
api_key.update(revoked_at: nil)
log_api_key_restore(api_key)
end
render_serialized(api_key, ApiKeySerializer)
end
def revoke_key
api_key = ApiKey.find_by(id: params[:id])
raise Discourse::NotFound if api_key.blank?
ApiKey.transaction do
api_key.update(revoked_at: Time.zone.now)
log_api_key_revoke(api_key)
end
render_serialized(api_key, ApiKeySerializer)
end
private
def build_scopes
params.require(:key)[:scopes].to_a.map do |scope_params|
resource, action = scope_params[:scope_id].split(":")
mapping = ApiKeyScope.scope_mappings.dig(resource.to_sym, action.to_sym)
raise Discourse::InvalidParameters if mapping.nil? # invalid mapping
ApiKeyScope.new(
resource: resource,
action: action,
allowed_parameters: build_params(scope_params, mapping[:params]),
)
end
end
def build_params(scope_params, params)
return if params.nil?
scope_params
.slice(*params)
.tap do |allowed_params|
allowed_params.each do |k, v|
v.blank? ? allowed_params.delete(k) : allowed_params[k] = v.split(",")
end
end
end
def update_params
editable_fields = [:description]
permitted_params = params.permit(key: [*editable_fields])[:key]
raise Discourse::InvalidParameters unless permitted_params
permitted_params
end
def log_api_key(*args)
StaffActionLogger.new(current_user).log_api_key(*args)
end
def log_api_key_revoke(*args)
StaffActionLogger.new(current_user).log_api_key_revoke(*args)
end
def log_api_key_restore(*args)
StaffActionLogger.new(current_user).log_api_key_restore(*args)
end
end