Summary
Grading configuration endpoints appear under-protected: integration-token enforcement is inconsistent.
Where
- Repository:
autograder
- Component:
web/api/v1/grading_configs.py
Findings
require_integration_token is only attached to GET /api/v1/configs/id/{config_id} while other config endpoints are open in the router:
POST /api/v1/configsGET /api/v1/configs/{external_assignment_id}GET /api/v1/configsPUT /api/v1/configs/{config_id}PUT /api/v1/configs/external/{external_assignment_id}
Expected behavior
All machine-to-machine grading configuration endpoints should enforce the integration auth boundary consistently.
Impact
Unauthorized clients may create/read/update grading configs.
References
Found during QA refinement for api-grader-prisma#242.
Summary
Grading configuration endpoints appear under-protected: integration-token enforcement is inconsistent.
Where
autograderweb/api/v1/grading_configs.pyFindings
require_integration_tokenis only attached toGET /api/v1/configs/id/{config_id}while other config endpoints are open in the router:POST /api/v1/configsGET /api/v1/configs/{external_assignment_id}GET /api/v1/configsPUT /api/v1/configs/{config_id}PUT /api/v1/configs/external/{external_assignment_id}Expected behavior
All machine-to-machine grading configuration endpoints should enforce the integration auth boundary consistently.
Impact
Unauthorized clients may create/read/update grading configs.
References
Found during QA refinement for
api-grader-prisma#242.