Giters

getumbrel / umbrel-manager

[Deprecated] Moved to https://github.com/getumbrel/umbrel/tree/master/packages/manager. Low-level system API for Umbrel.

Home Page:https://github.com/getumbrel/umbrel/tree/master/packages/manager

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Some system API endpoints have no JWT auth

nevets963 opened this issue · comments

commented

Is there a reason why some API endpoints don't use JWT auth?

e.g.
/system/update-status
/system/backup-status
/system/memory

I'm more concerned about: /system/memory because it reveals some services running on the Umbrel instance and therefore could aid an attacker to search for vulnerabilities in third-party software to gain access to the Umbrel instance.

e.g.
uptime-kuma
https://testnet.getumbrel.com/manager-api/v1/system/memory

commented

Yeah /system/update-status is polled during the update process and during that the user will get logged out and so will no longer have a JWT. With regards to /system/backup-status and /system/memory I think you might be right, it looks like that could have been an oversight. Let me look into it and confirm that and get back to you. Thanks for letting us know!

commented

You were right @nevets963, those endpoints shouldn't have been exposed without JWT auth. This is now resolved by #115. We'll do a new manager release and push an Umbrel update out asap with the updated manager image.

Great spot and thanks again for reaching out!