tighten access controls for global licence routes#18493
Conversation
| ) | ||
|
|
||
| loggedInRoutes | ||
| adminRoutes |
There was a problem hiding this comment.
This probably needs to support builders
There was a problem hiding this comment.
good call, I have opened up GET /api/global/license/usage and /api/global/license/key to all logged in users. I don't think non-admins need access to other license endpoints
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/worker/src/api/routes/global/license.ts">
<violation number="1" location="packages/worker/src/api/routes/global/license.ts:18">
P1: These GET endpoints were moved from adminRoutes to loggedInRoutes, which is defined without auth.adminOnly. That drops the admin-only restriction and lets non-admin users read license usage/key data.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
| }).required() | ||
| ) | ||
|
|
||
| loggedInRoutes |
There was a problem hiding this comment.
Should that not be builderOrAdminRoutes?
There was a problem hiding this comment.
have done some testing with these
GET /api/global/license/usage hits on any user login so definitely needs to stay as a loggedInRoute.
GET /api/global/license/key makes more sense as builderOrAdminRoute, thanks
I've split them out now
4 participants
Description
Addresses
https://github.com/Budibase/vulns/issues/40
https://github.com/Budibase/budibase/security/advisories/GHSA-4wr8-5c3p-rjcr
Launchcontrol
tighten access controls for global licence routes