Files
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

229 lines
6.9 KiB
Python

"""
Debug endpoints - Security Misconfiguration demonstration.
This demonstrates API8: Security Misconfiguration
These endpoints expose sensitive information and should not exist in production.
"""
from typing import Optional
from fastapi import APIRouter, Query
from ..config import JWT_SECRET, SECURITY_MISCONFIGURATION, SWAG_DB_PATH
router = APIRouter(prefix="/debug", tags=["debug"])
# Global storage for debug logs (populated by chat handler)
debug_logs = []
# Debug key (intentionally leaked in error messages at level 2)
DEBUG_KEY = "cloudswag_debug_2024"
def add_debug_log(entry: dict):
"""Append a debug log entry and retain only the latest 100 records."""
debug_logs.append(entry)
# Keep only last 100 entries
if len(debug_logs) > 100:
debug_logs.pop(0)
@router.get("/logs")
async def get_debug_logs(debug_key: Optional[str] = Query(None)):
"""
Returns all chat logs including tool calls and user data.
SECURITY MISCONFIGURATION: Exposes sensitive information.
Level 1: No authentication required
Level 2: Requires debug_key (but key is leaked in error message)
Level 3: Endpoint disabled
"""
if SECURITY_MISCONFIGURATION == 3:
return {"error": "Debug endpoints disabled in production"}
if SECURITY_MISCONFIGURATION == 2:
if debug_key != DEBUG_KEY:
# Intentionally leak the debug key in the error message
return {
"error": "Debug key required",
"hint": f"Use query param: ?debug_key={DEBUG_KEY}",
"example": f"/debug/logs?debug_key={DEBUG_KEY}",
}
# Level 1: No auth required, Level 2: Auth passed
return {
"status": "debug_enabled",
"security_level": SECURITY_MISCONFIGURATION,
"warning": "DEBUG MODE - Sensitive data exposed",
"logs": debug_logs[-50:], # Last 50 entries
"config": {
"jwt_secret": JWT_SECRET,
"db_path": str(SWAG_DB_PATH),
"debug_key": DEBUG_KEY,
},
}
@router.get("/config")
async def get_config(debug_key: Optional[str] = Query(None)):
"""
Returns application configuration including secrets.
SECURITY MISCONFIGURATION: Exposes JWT secret and database path.
"""
if SECURITY_MISCONFIGURATION == 3:
return {"error": "Debug endpoints disabled in production"}
if SECURITY_MISCONFIGURATION == 2 and debug_key != DEBUG_KEY:
return {"error": f"Debug key required. Hint: {DEBUG_KEY}"}
from ..config import (
SECURITY_AUTH,
SECURITY_BOLA,
SECURITY_FUNCTION_AUTH,
SECURITY_INVENTORY,
SECURITY_PROPERTY_AUTH,
SECURITY_SSRF,
SECURITY_UNSAFE_CONSUMPTION,
SSRF_BLACKLIST,
SSRF_WHITELIST,
)
return {
"jwt_secret": JWT_SECRET,
"jwt_algorithm": "HS256",
"database_path": str(SWAG_DB_PATH),
"security_levels": {
"BOLA": SECURITY_BOLA,
"AUTH": SECURITY_AUTH,
"PROPERTY_AUTH": SECURITY_PROPERTY_AUTH,
"FUNCTION_AUTH": SECURITY_FUNCTION_AUTH,
"SSRF": SECURITY_SSRF,
"MISCONFIGURATION": SECURITY_MISCONFIGURATION,
"INVENTORY": SECURITY_INVENTORY,
"UNSAFE_CONSUMPTION": SECURITY_UNSAFE_CONSUMPTION,
},
"ssrf_blacklist": SSRF_BLACKLIST,
"ssrf_whitelist": SSRF_WHITELIST,
"warning": "NEVER EXPOSE THIS IN PRODUCTION",
}
@router.get("/sessions")
async def get_all_sessions(debug_key: Optional[str] = Query(None)):
"""
Returns all active chat sessions across all users.
SECURITY MISCONFIGURATION: Exposes other users' sessions.
"""
if SECURITY_MISCONFIGURATION == 3:
return {"error": "Debug endpoints disabled in production"}
if SECURITY_MISCONFIGURATION == 2 and debug_key != DEBUG_KEY:
return {"error": f"Debug key required. Hint: {DEBUG_KEY}"}
# Import here to avoid circular imports
from .chat import _sessions
sessions_summary = {}
for session_id, history in _sessions.items():
sessions_summary[session_id] = {
"message_count": len(history),
"preview": history[-1] if history else None,
}
return {
"total_sessions": len(_sessions),
"sessions": sessions_summary,
"warning": "Contains all users' conversation data",
}
@router.get("/users")
async def get_all_users(debug_key: Optional[str] = Query(None)):
"""
Returns all users with sensitive data.
SECURITY MISCONFIGURATION: Exposes user passwords and PII.
"""
if SECURITY_MISCONFIGURATION == 3:
return {"error": "Debug endpoints disabled in production"}
if SECURITY_MISCONFIGURATION == 2 and debug_key != DEBUG_KEY:
return {"error": f"Debug key required. Hint: {DEBUG_KEY}"}
import sqlite3
conn = sqlite3.connect(SWAG_DB_PATH)
cursor = conn.cursor()
try:
cursor.execute("""
SELECT user_id, email, username, password_hash, full_name,
department, office_location, swag_points, salary, ssn_last_four, role
FROM users
""")
rows = cursor.fetchall()
users = []
for row in rows:
users.append(
{
"user_id": row[0],
"email": row[1],
"username": row[2],
"password_hash": row[3], # SENSITIVE!
"full_name": row[4],
"department": row[5],
"office_location": row[6],
"swag_points": row[7],
"salary": row[8], # SENSITIVE!
"ssn_last_four": row[9], # SENSITIVE!
"role": row[10],
}
)
return {
"users": users,
"count": len(users),
"warning": "SENSITIVE DATA - passwords, salaries, SSNs exposed",
}
finally:
conn.close()
@router.get("/error-test")
async def trigger_error():
"""
Endpoint that triggers an error to test error handling.
At security level 1, this returns a full stack trace.
"""
if SECURITY_MISCONFIGURATION == 3:
return {"error": "Debug endpoints disabled"}
# Intentionally cause an error
try:
_ = 1 / 0 # noqa: F841
except Exception as e:
import traceback
if SECURITY_MISCONFIGURATION == 1:
# Level 1: Return full stack trace
return {
"error": str(e),
"type": type(e).__name__,
"stack_trace": traceback.format_exc(),
"warning": "Full stack trace exposed - security misconfiguration",
}
else:
# Level 2: Partial error info
return {
"error": "An error occurred",
"hint": f"Debug with: /debug/logs?debug_key={DEBUG_KEY}",
}
return {"error": "An error occurred"}