Page MenuHomePhabricator

Deny request propagation from offending domains in dashboard
Closed, ResolvedPublic5 Estimated Story Points


In order to deny request propagation down to the auth service coming from offending domains, we need to update the axios interceptor to block those domains.

Please refer to Investigations/Investigation: Create-user exploit

To do

  • Create an IaC variable for offending_domains domain_denylist (refer to malicious_ips_denylist as an example).
  • Pass this variable to the dashboard service. Use it in the axios interceptor to block the request from these domains.

QA / Acceptance criteria

  • On dev, set domain_denylist as [""]. Using dashboard, perform sign up with email Your request should be denied. Check the /ecs/auth_pr_wme log, you should not see a /create-user API call corresponding to your request.

Event Timeline

Would it be possbile to block signups from offending lists as part of the pre-signup lambda

We want to block the offending domain (related to the sign-up email) as early as possible in the flow.

The earliest we can do is at the dashboard level (/sign-up handler) in the axios interceptor middleware, that is responsible for propagating the request further to our auth service. The lambda comes later in the flow.

Here is the high-level flow:

User -> [dashboard] sign up handler [axios interceptor] -> [WAF] [CORS] Auth API server (/create-user endpoint) -> Send email for verification (using lambda)

I recommend we change this scope and address the issue in the backend API. That way we'll be secured regarding changes in public javascript, or direct api calls

after discussion with the team.

it will be done in two places, frontend and backend. Also will be created investigation ticket for WAF