Specification includes disabled resources

Created on 22 February 2023, over 1 year ago

Updated 15 May 2024, 6 months ago

Problem/Motivation

As far as I can tell the OpenAPI specification generated by this module includes paths/endpoints for resources that have been disabled.

Calling the disabled endpoint will not produce any results but it might be characterized as some form of information disclosure.

Steps to reproduce

Spawn a new site with the OpenAPI Rest module and Rest UI module (for some reason this is request) on simplytest.me
Go to the REST resources configuration page at /admin/config/services/rest
Enable and configure the /dblog/{id}: GET resource
Disable the resource
Go to the OpenAPI Resources page at /admin/config/services/openapi
View the REST specification
Note that it includes the disabled dblog path

Note that it is important that the resource enabled/disabled is not an entity resource. If it is an entity resource it will cause an exception to be throw as reported in a separate issue.

The solution is about the same.

Proposed resolution

Filter away disabled

Remaining tasks

None

User interface changes

None

API changes

None

Data model changes

None

🐛 Bug report

Status

RTBC

Version

2.0

Component

Code

Created by

🇩🇰Denmark kasperg

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @kasperg
@kasperg opened merge request.
Status changed to Needs review over 1 year ago7:53pm 22 February 2023
Comment over 1 year ago →
🇩🇰Denmark kasperg
I have opened a merge request which filters away disabled REST resources.

As far as I can tell RestInspectionTrait::getResourceConfigs() is the sole place where the module loads REST resource configuration. Consequently it should be the only place where we need to do any filtering.

This should also fix issue #3277858 🐛 Disabled Content Rest API throws exception on REST Specification page Needs work .
Status changed to RTBC 6 months ago9:35am 15 May 2024
Comment 6 months ago →
🇩🇪Germany Anybody Porta Westfalica
Great work @kasperg! RTBC!

Any maintainers to finally review and merge this important fix?
Comment 6 months ago →
🇩🇪Germany Anybody Porta Westfalica
FYI: I closed 🐛 Disabled Content Rest API throws exception on REST Specification page Needs work as duplicate.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024