Project Information
- Repository:
https://github.com/stoodkev/steemplus-api - Project Name: SteemPlus (API)
- Publisher (if applicable): @stoodkev
Expected behavior
The job that updates the SPP (Steemplus Points) should only run every hour, as mentioned in the coding.
Only authorized persons should be able to start resource-intensive jobs on the steemplus api server. Such a functionality is never to be exposed via an api.
Actual behavior
Every user is able to call the mentioned api endpoint to start the job manually. A malicious user could use this to overload the steemplus api server, resulting in a DOS (Denial-of-Service) attack.
It is also possible (by creating a few requests in parallel) that some of the points are missing or doubled in the database, depending on the exact moment this is attempted.
How to reproduce
It is easily possible to reproduce the bug by just calling the specific endpoint for the api:
/job/update-steemplus-points
Solution
A solution could be to secure the api endpoint via a private key saved in the config. With this only authorized users can call the function.
Another solution would be to not expose this function to the api at all and only call it internally via a cronjob or similar.
I decided to go with solution number one and started a pull-request for it:
Pull-Request
Recording Of The Bug
Before executing the job:
Executing the job:
After executing the job:
As we see my user-information was created and my points where updated without waiting for an hour.
GitHub Account
The problem was brought to the Project Owner via a github issue (additional to the Pull-Request) and I also reached out to him via discord where he confirmed that this is a problem. (Screenshot can be provided if needed )