Page MenuHomePhabricator

Lock down RESTBase public API
Closed, ResolvedPublic

Description

For the first public RESTBase deployment, we need to lock down the public API to only allow GET and POST requests that don't inject user-supplied information into the database. This basically means that the majority of requests will be GETs. These might trigger an internal fetch to a service like Parsoid & a subsequent internal PUT of the content returned to storage. The main POST entry point we'll need to support for now would be Parsoid's html2wt mode (see T75955).

We still need to have a way to create buckets internally, which means PUTs. Ideas:

  • hook into some specific MediaWiki access right verified through a call to an userCan MediaWiki API entry point
  • set up a secret in config.yaml via the private hiera repository, and allow access from an internal IP range when supplying this secret

Event Timeline

GWicke raised the priority of this task from to Needs Triage.
GWicke updated the task description. (Show Details)
GWicke added a project: RESTBase.
GWicke changed Security from none to None.
GWicke added a subscriber: GWicke.
Jdouglas triaged this task as High priority.Jan 8 2015, 4:52 PM

Most of this is now done with the removal of all external PUT support & protection of internal APIs. We should perform a final audit before deploy, but I'm confident that we are pretty much done.

Is this one ready to be closed as resolved?

Jdouglas moved this task from Backlog to In progress on the RESTBase board.Feb 5 2015, 1:04 AM
GWicke closed this task as Resolved.Mar 15 2015, 4:25 PM

Resolving as done.