Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit the API data send to JS #1778

Open
oharsta opened this issue Jan 29, 2025 · 0 comments
Open

Limit the API data send to JS #1778

oharsta opened this issue Jan 29, 2025 · 0 comments
Assignees
@oharsta @logan-life @FlorisFokkinga

Comments

@oharsta
Copy link
Collaborator

oharsta commented Jan 29, 2025

Currently in most of the API calls, the SQLAlchemy objects are returned as is in json-format. This causes sensitive data to leak to the client. The solution can be simple as we already have hooks to filter and / or sanitise data in the DynamicExtendedJSONProvider and SecretMixin.

Already filtered out by the current SecretMixin and DynamicExtendedJSONProvider implementation are the following attributes

SecretMixin: ["ldap_password", "hashed_token", "hashed_secret", "scim_bearer_token", "oidc_client_secret"]
DynamicExtendedJSONProvider: ["mfa_reset_token", "second_factor_auth"]

We can extend the current implementation to check if there is a session in the current flask request and depending on the role of user and the type of object we can further limit the data send back to the JS client.

We need to identify the sensitive attributes that do not have to leave the server and are not covered by current sanitisation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oharsta oharsta

@logan-life logan-life

@FlorisFokkinga FlorisFokkinga

Labels
None yet
Projects
SRAM development
Status: New
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oharsta @logan-life @FlorisFokkinga