Endpoint undeclared but currently accessible #5786
Labels
Comments
|
Hi @Blasci, It sounds like you need to enable an Allow List to get the functionality you require. By adding the allowed paths to the list, Tyk will automatically block all others. Please give this a try and let me know if it works for you. Thanks for trying Tyk! |
|
Hi @andyo-tyk Oh sorry, i forgot to say it. I have already activated the Whitelist plugin. This is why i open this issue. Thanks for your answer ! |
|
Hi @Blasci, Would you be able to share your API Definition, please, so that we can check if there's something wrong in the configuration? Please remember to obfuscate any sensitive data before sharing! |
|
Hi @andyo-tyk Yes ! Here my API Definition : {
"api_definition": {
"CORS": {
"allow_credentials": false,
"allowed_headers": [],
"allowed_methods": [],
"allowed_origins": [],
"debug": false,
"enable": false,
"exposed_headers": [],
"max_age": 0,
"options_passthrough": false
},
"active": true,
"allowed_ips": [],
"api_id": "01234567890123456789012345678901",
"auth": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
},
"auth_configs": {
"authToken": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
},
"jwt": {
"auth_header_name": "Authorization",
"cookie_name": "",
"param_name": "",
"signature": {
"algorithm": "",
"allowed_clock_skew": 0,
"error_code": 0,
"error_message": "",
"header": "",
"param_name": "",
"secret": "",
"use_param": false
},
"use_certificate": false,
"use_cookie": false,
"use_param": false,
"validate_signature": false
}
},
"auth_provider": {
"meta": {},
"name": "",
"storage_engine": ""
},
"base_identity_provided_by": "",
"basic_auth": {
"body_password_regexp": "",
"body_user_regexp": "",
"cache_ttl": 0,
"disable_caching": false,
"extract_from_body": false
},
"blacklisted_ips": [],
"cache_options": {
"cache_all_safe_requests": false,
"cache_by_headers": [],
"cache_control_ttl_header": "",
"cache_response_codes": [],
"cache_timeout": 60,
"enable_cache": false,
"enable_upstream_cache_control": false
},
"certificates": [],
"client_certificates": [],
"config_data": {},
"custom_middleware": {
"auth_check": {
"name": "",
"path": "",
"raw_body_only": false,
"require_session": false
},
"driver": "",
"id_extractor": {
"extract_from": "",
"extract_with": "",
"extractor_config": {}
},
"post": [],
"post_key_auth": [],
"pre": [],
"response": []
},
"custom_middleware_bundle": "my-custom-bundle.zip",
"definition": {
"key": "x-api-version",
"location": "header",
"strip_path": false
},
"disable_quota": false,
"disable_rate_limit": false,
"do_not_track": false,
"domain": "",
"dont_set_quota_on_create": false,
"enable_batch_request_support": false,
"enable_context_vars": false,
"enable_coprocess_auth": false,
"enable_detailed_recording": false,
"enable_ip_blacklisting": false,
"enable_ip_whitelisting": false,
"enable_jwt": false,
"enable_proxy_protocol": false,
"enable_signature_checking": false,
"event_handlers": {
"events": {}
},
"expire_analytics_after": 0,
"global_rate_limit": {
"per": 0,
"rate": 0
},
"graphql": {
"enabled": false,
"engine": {
"data_sources": [],
"field_configs": []
},
"execution_mode": "",
"playground": {
"enabled": false,
"path": ""
},
"proxy": {
"auth_headers": {}
},
"schema": "",
"subgraph": {
"sdl": ""
},
"supergraph": {
"disable_query_batching": false,
"global_headers": {},
"merged_sdl": "",
"subgraphs": []
},
"type_field_configurations": [],
"version": ""
},
"hmac_allowed_algorithms": [],
"hmac_allowed_clock_skew": -1,
"id": "012345678901234567890123",
"internal": false,
"jwt_client_base_field": "",
"jwt_default_policies": [],
"jwt_expires_at_validation_skew": 0,
"jwt_identity_base_field": "",
"jwt_issued_at_validation_skew": 0,
"jwt_not_before_validation_skew": 0,
"jwt_policy_field_name": "",
"jwt_scope_claim_name": "",
"jwt_scope_to_policy_mapping": {},
"jwt_signing_method": "",
"jwt_skip_kid": false,
"jwt_source": "",
"listen_port": 0,
"name": "my-api",
"notifications": {
"oauth_on_keychange_url": "",
"shared_secret": ""
},
"oauth_meta": {
"allowed_access_types": [],
"allowed_authorize_types": [],
"auth_login_redirect": ""
},
"openid_options": {
"providers": [],
"segregate_by_client": false
},
"org_id": "012345678901234567890123",
"pinned_public_keys": {},
"protocol": "",
"proxy": {
"check_host_against_uptime_tests": false,
"disable_strip_slash": false,
"enable_load_balancing": false,
"listen_path": "/v1/my-api/",
"preserve_host_header": false,
"service_discovery": {
"cache_timeout": 0,
"data_path": "",
"endpoint_returns_list": false,
"parent_data_path": "",
"port_data_path": "",
"query_endpoint": "",
"target_path": "",
"use_discovery_service": false,
"use_nested_query": false,
"use_target_list": false
},
"strip_listen_path": true,
"target_list": [],
"target_url": "https://my-api.url",
"transport": {
"proxy_url": "",
"ssl_ciphers": [],
"ssl_force_common_name_check": false,
"ssl_insecure_skip_verify": false,
"ssl_max_version": 0,
"ssl_min_version": 0
}
},
"request_signing": {
"algorithm": "",
"certificate_id": "",
"header_list": [],
"is_enabled": false,
"key_id": "",
"secret": "",
"signature_header": ""
},
"response_processors": [],
"session_lifetime": 0,
"session_provider": {
"meta": {},
"name": "",
"storage_engine": ""
},
"slug": "my-api",
"strip_auth_data": false,
"tag_headers": [],
"tags": [],
"upstream_certificates": {},
"uptime_tests": {
"check_list": [],
"config": {
"expire_utime_after": 0,
"recheck_wait": 0,
"service_discovery": {
"cache_timeout": 60,
"data_path": "",
"endpoint_returns_list": false,
"parent_data_path": "",
"port_data_path": "",
"query_endpoint": "",
"target_path": "",
"use_discovery_service": false,
"use_nested_query": false,
"use_target_list": false
}
}
},
"use_basic_auth": false,
"use_go_plugin_auth": true,
"use_keyless": false,
"use_mutual_tls_auth": false,
"use_oauth2": false,
"use_openid": false,
"use_standard_auth": false,
"version_data": {
"default_version": "",
"not_versioned": true,
"versions": {
"Default": {
"expires": "",
"extended_paths": {
"white_list": [
{
"ignore_case": false,
"method_actions": {
"GET": {
"action": "no_action",
"code": 200,
"data": "",
"headers": {}
}
},
"path": "/endpoint/{id}"
},
{
"ignore_case": false,
"method_actions": {
"GET": {
"action": "no_action",
"code": 200,
"data": "",
"headers": {}
}
},
"path": "/endpoint/{id}/otherEndPoint"
}
]
},
"global_headers": {
"X-Forwarded-Prefix": "/v1/my-api"
},
"global_headers_remove": [],
"global_response_headers": {},
"global_response_headers_remove": [],
"global_size_limit": 0,
"ignore_endpoint_case": false,
"name": "Default",
"override_target": "",
"paths": {
"black_list": [],
"ignored": [],
"white_list": []
},
"use_extended_paths": true
}
}
}
},
"api_model": {},
"created_at": "2023-10-23T11:28:30+02:00",
"hook_references": [],
"is_site": false,
"sort_by": 0,
"user_group_owners": [],
"user_owners": []
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Branch/Environment/Version
Describe the bug
It's possible to access undeclared endpoint via Tyk when a general endpoint is declared.
Reproduction steps
Steps to reproduce the behavior:
Actual behavior
For example in our case, some devs create endpoints but they don't publish it in Tyk for security reasons but they are currently accessible.
Expected behavior
It's possible to detect when it's "real" parameter with any "/" or something else like that ?
The text was updated successfully, but these errors were encountered: