Atomfeed Console api is compromised

Description

We have observed the below issues with /atomfeed-console/apps api :

  1. unnecessarily exposing credentials of all databases.

  1. exposed without any authentication

This is a critical issues needs to be fixed ASAP.
For now we went ahead and stopped atomfeed-console service in all our qa, demo environments.
We need to communicate this to Bahmni Implementations and suggest the hack of stopping atomfeed-console for now see how to go about mitigating the issue.

Tech
1. AppController - change the method to return only array of objects containing “appName”

2. HomePageCtrl.js - remove the console.log() statement

Activity

Show:
Himabindu Akkinepalli
April 11, 2019, 9:50 AM

Updated atomfeed-console version to 1.1 in the bahmni-playbooks to get the latest atomfeed-console.rpm packaged with bahmni-installer. Pushed changes to master branch and cherry-picked the commit to release-0.91 and release-0.92. Below are the commit details
master -> https://github.com/Bahmni/bahmni-playbooks/commit/2c92815ddbe9d91f2f86889a983e4eba8ff0d12a
release-0.92 -> https://github.com/Bahmni/bahmni-playbooks/commit/90ce6386a3473aca3a2cca615c827f8ad9613e55
release-0.91 -> https://github.com/Bahmni/bahmni-playbooks/commit/96647f6fb84fa8b0630750a36590b8749e4da285

Himabindu Akkinepalli
April 16, 2019, 7:26 AM

Tested atomfeed-console version on product-qa03(0.92) env and it has latest version 1.1. The same needs to be tested for master(0.93) and 0.91.

Fixed

Assignee

Himabindu Akkinepalli

Reporter

swathi varkala

Labels

Units

None

PercentDone

None

DueTime

None

Clients

None

External issue ID

None

UAT Assignee

Himabindu Akkinepalli

Reviewer

None

Sprint

0.93 Product M1

Fix versions

Configure