New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Endpoint undeclared but currently accessible #5786
Comments
Hi @Blasci, It sounds like you need to enable an Allow List to get the functionality you require. By adding the allowed paths to the list, Tyk will automatically block all others. Please give this a try and let me know if it works for you. Thanks for trying Tyk! |
Hi @andyo-tyk Oh sorry, i forgot to say it. I have already activated the Whitelist plugin. This is why i open this issue. Thanks for your answer ! |
Hi @Blasci, Would you be able to share your API Definition, please, so that we can check if there's something wrong in the configuration? Please remember to obfuscate any sensitive data before sharing! |
Hi @andyo-tyk Yes ! Here my API Definition : {
"api_definition": {
"CORS": {
"allow_credentials": false,
"allowed_headers": [],
"allowed_methods": [],
"allowed_origins": [],
"debug": false,
"enable": false,
"exposed_headers": [],
"max_age": 0,
"options_passthrough": false
},
"active": true,
"allowed_ips": [],
"api_id": "01234567890123456789012345678901",
"auth": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
},
"auth_configs": {
"authToken": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
},
"jwt": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
}
},
"auth_provider": {
"meta": {},
"name": "",
"storage_engine": ""
},
"base_identity_provided_by": "",
"basic_auth": {
"body_password_regexp": "",
"body_user_regexp": "",
"cache_ttl": 0,
"disable_caching": false,
"extract_from_body": false
},
"blacklisted_ips": [],
"cache_options": {
"cache_all_safe_requests": false,
"cache_by_headers": [],
"cache_control_ttl_header": "",
"cache_response_codes": [],
"cache_timeout": 60,
"enable_cache": false,
"enable_upstream_cache_control": false
},
"certificates": [],
"client_certificates": [],
"config_data": {},
"custom_middleware": {
"auth_check": {
"name": "",
"path": "",
"raw_body_only": false,
"require_session": false
},
"driver": "",
"id_extractor": {
"extract_from": "",
"extract_with": "",
"extractor_config": {}
},
"post": [],
"post_key_auth": [],
"pre": [],
"response": []
},
"custom_middleware_bundle": "my-custom-bundle.zip",
"definition": {
"key": "x-api-version",
"location": "header",
"strip_path": false
},
"disable_quota": false,
"disable_rate_limit": false,
"do_not_track": false,
"domain": "",
"dont_set_quota_on_create": false,
"enable_batch_request_support": false,
"enable_context_vars": false,
"enable_coprocess_auth": false,
"enable_detailed_recording": false,
"enable_ip_blacklisting": false,
"enable_ip_whitelisting": false,
"enable_jwt": false,
"enable_proxy_protocol": false,
"enable_signature_checking": false,
"event_handlers": {
"events": {}
},
"expire_analytics_after": 0,
"global_rate_limit": {
"per": 0,
"rate": 0
},
"graphql": {
"enabled": false,
"engine": {
"data_sources": [],
"field_configs": []
},
"execution_mode": "",
"playground": {
"enabled": false,
"path": ""
},
"proxy": {
"auth_headers": {}
},
"schema": "",
"subgraph": {
"sdl": ""
},
"supergraph": {
"disable_query_batching": false,
"global_headers": {},
"merged_sdl": "",
"subgraphs": []
},
"type_field_configurations": [],
"version": ""
},
"hmac_allowed_algorithms": [],
"hmac_allowed_clock_skew": -1,
"id": "012345678901234567890123",
"internal": false,
"jwt_client_base_field": "",
"jwt_default_policies": [],
"jwt_expires_at_validation_skew": 0,
"jwt_identity_base_field": "",
"jwt_issued_at_validation_skew": 0,
"jwt_not_before_validation_skew": 0,
"jwt_policy_field_name": "",
"jwt_scope_claim_name": "",
"jwt_scope_to_policy_mapping": {},
"jwt_signing_method": "",
"jwt_skip_kid": false,
"jwt_source": "",
"listen_port": 0,
"name": "my-api",
"notifications": {
"oauth_on_keychange_url": "",
"shared_secret": ""
},
"oauth_meta": {
"allowed_access_types": [],
"allowed_authorize_types": [],
"auth_login_redirect": ""
},
"openid_options": {
"providers": [],
"segregate_by_client": false
},
"org_id": "012345678901234567890123",
"pinned_public_keys": {},
"protocol": "",
"proxy": {
"check_host_against_uptime_tests": false,
"disable_strip_slash": false,
"enable_load_balancing": false,
"listen_path": "/v1/my-api/",
"preserve_host_header": false,
"service_discovery": {
"cache_timeout": 0,
"data_path": "",
"endpoint_returns_list": false,
"parent_data_path": "",
"port_data_path": "",
"query_endpoint": "",
"target_path": "",
"use_discovery_service": false,
"use_nested_query": false,
"use_target_list": false
},
"strip_listen_path": true,
"target_list": [],
"target_url": "https://my-api.url",
"transport": {
"proxy_url": "",
"ssl_ciphers": [],
"ssl_force_common_name_check": false,
"ssl_insecure_skip_verify": false,
"ssl_max_version": 0,
"ssl_min_version": 0
}
},
"request_signing": {
"algorithm": "",
"certificate_id": "",
"header_list": [],
"is_enabled": false,
"key_id": "",
"secret": "",
"signature_header": ""
},
"response_processors": [],
"session_lifetime": 0,
"session_provider": {
"meta": {},
"name": "",
"storage_engine": ""
},
"slug": "my-api",
"strip_auth_data": false,
"tag_headers": [],
"tags": [],
"upstream_certificates": {},
"uptime_tests": {
"check_list": [],
"config": {
"expire_utime_after": 0,
"recheck_wait": 0,
"service_discovery": {
"cache_timeout": 60,
"data_path": "",
"endpoint_returns_list": false,
"parent_data_path": "",
"port_data_path": "",
"query_endpoint": "",
"target_path": "",
"use_discovery_service": false,
"use_nested_query": false,
"use_target_list": false
}
}
},
"use_basic_auth": false,
"use_go_plugin_auth": true,
"use_keyless": false,
"use_mutual_tls_auth": false,
"use_oauth2": false,
"use_openid": false,
"use_standard_auth": false,
"version_data": {
"default_version": "",
"not_versioned": true,
"versions": {
"Default": {
"expires": "",
"extended_paths": {
"white_list": [
{
"ignore_case": false,
"method_actions": {
"GET": {
"action": "no_action",
"code": 200,
"data": "",
"headers": {}
}
},
"path": "/endpoint/{id}"
},
{
"ignore_case": false,
"method_actions": {
"GET": {
"action": "no_action",
"code": 200,
"data": "",
"headers": {}
}
},
"path": "/endpoint/{id}/otherEndPoint"
}
]
},
"global_headers": {
"X-Forwarded-Prefix": "/v1/my-api"
},
"global_headers_remove": [],
"global_response_headers": {},
"global_response_headers_remove": [],
"global_size_limit": 0,
"ignore_endpoint_case": false,
"name": "Default",
"override_target": "",
"paths": {
"black_list": [],
"ignored": [],
"white_list": []
},
"use_extended_paths": true
}
}
}
},
"api_model": {},
"created_at": "2023-10-23T11:28:30+02:00",
"hook_references": [],
"is_site": false,
"sort_by": 0,
"user_group_owners": [],
"user_owners": []
} |
Branch/Environment/Version
Describe the bug
It's possible to access undeclared endpoint via Tyk when a general endpoint is declared.
Reproduction steps
Steps to reproduce the behavior:
Actual behavior
For example in our case, some devs create endpoints but they don't publish it in Tyk for security reasons but they are currently accessible.
Expected behavior
It's possible to detect when it's "real" parameter with any "/" or something else like that ?
The text was updated successfully, but these errors were encountered: