dashy
dashy copied to clipboard
Lissy93
[BUG] Backend has no authentication checks in place
Environment
Self-Hosted (Bare Metal)
Version
2.0.8
Describe the problem
To begin with I'm not sure if this should be taken as a security issue or a documentation issue.
Currently the official documentiation talks about the safety of the password and the use of keycloak.
With basic auth, all logic is happening on the client-side, which could mean a skilled user could manipulate the code to view parts of your configuration, including the hash.
This suggests that the use of basic auth has no futher security implications aside from the hash being visible. However anyone, without authentication, can still use the node server's functions. Prohibiting the use of the functions on the client side is not proper security.
I am no security expert but I think that this exposes a few immediate ways this software can exploited:
- Anyone can rebuild the application to their likings (without authentication)
- The available storage space can be filled with newly saved config files
- The machine can be slowed by continuous rebuilds and in case of mini PCs (like a Raspberry Pi) they can be rendered useless.
I suggest that either the security part of the documentation and the README should have a clear warning that indicates that this software should not be run as an internet facing service because of security complications OR a proper backend check for authentication is ought to be implemented (this has to be done for each security provider) OR there should be configuration for the backend to hard-disable potentially harmful endpoints and make this the default for new users.
This supersedes #590
Additional info
No response
Please tick the boxes
- [X] You are using a supported version of Dashy (check the first two digits of the version number)
- [X] You've checked that this issue hasn't already been raised
- [X] You've checked the docs and troubleshooting guide
- [X] You agree to the code of conduct
Any updates on this? I was really hyped to put Dashy on a server but if there are such security implications, I'd rather not have it on an internet facing server with private stuff in it :(
This issue has gone 6 weeks without an update. To keep the ticket open, please indicate that it is still relevant in a comment below. Otherwise it will be closed in 5 working days.
Will be completed (hopefully) in 2.1.2, along with a re-write of how config is loaded and managed. For details, see #799
