Secure GET /submissions/{id} with token validation#37
Merged
Conversation
SebastienTainon
force-pushed
the
secure-get-submission
branch
from
304ae62 to
af3c4aa
Compare
SebastienTainon
force-pushed
the
secure-get-submission
branch
from
af3c4aa to
84b3a4d
Compare
smadbe
approved these changes
May 28, 2026
Comment on lines
+49
to
+52
| const booleanFlag = pipe( | ||
| D.union(D.boolean, D.string), | ||
| D.map(v => v !== null && v !== undefined), | ||
| ); |
Contributor
There was a problem hiding this comment.
v !== null && v !== undefined : It cannot be undefined/null as you only allow boolean and string.
=>
?longPolling=false⇒ evaluated astrue.- Missing ⇒
undefined(notfalse)
Comment on lines
352
to
+357
| const submission = await findSubmissionById(submissionId); | ||
| if (null === submission) { | ||
| return null; | ||
| } | ||
|
|
||
| await checkAuthorizedToGetSubmission(submissionQueryParameters, submission); |
Contributor
There was a problem hiding this comment.
You do some operation before check auth. So:
- DoS is easier (easy to make you do many DB request for nothing)
- you can use this service as an oracle to know whether a id exists, even without valid auth
(I may be wrong)
Contributor
Author
There was a problem hiding this comment.
Yes but whether the auth is valid depends on if the submission parameters match the token parameters, and to check this I need to fetch the submission first.
Contributor
There was a problem hiding this comment.
That means a bot can easily DDoS the endpoint. First verifying the token validity (so signature + dates) would make sense.
|
|
||
| // Check task token data match submission data | ||
| if (submission.idTask !== taskTokenData.taskId) { | ||
| throw new InvalidInputError(`Task id mismatch between submission data and provided task id from the token: ${taskTokenData.taskId}`); |
Contributor
There was a problem hiding this comment.
it looks like more like a 403/401 than an input error
| """ | ||
| { | ||
| "error": "Incorrect input arguments.", | ||
| "message": "Error: Missing token or platform POST variable" |
Contributor
There was a problem hiding this comment.
POST variable? on a GET srv
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.