AntFleet

Disagreement · 3a9ae97b-anthropic-5

POST /api/settings allows unauthenticated rewrite of API keys, Neo4j credentials and webhook URLs

mismatch
repo 193af03f·PR #1·reviewed 1 week ago

Primary finding

POST /api/settings allows unauthenticated rewrite of API keys, Neo4j credentials and webhook URLs

criticalsecurityhigh
  • backend/app/api/settings.py:168-257
  • backend/app/api/settings.py:220-224
  • backend/app/__init__.py:47-49
There is no authentication or authorization in front of /api/settings. CORS is open to any origin (`*`). An attacker who knows or guesses the deployment URL can POST {neo4j: {password: 'x'}, llm: {api_key: 'attacker-key'}} and silently exfiltrate / redirect future LLM and webhook traffic, or rewrite Config.WEBHOOK_URL to attacker-controlled host so future simulation completion webhooks leak to them. This is editable at runtime so it persists for the process lifetime. The comment in webhook_service notes the URL itself never leaves the backend, but the *attacker* can write it. There is no CSRF token, no IP allowlist, no admin guard.

Recommendation

Gate /api/settings behind authentication (env-var admin token, localhost-only bind, or session auth). At minimum require a header like X-Admin-Token compared against Config.ADMIN_TOKEN and refuse the route when no token is set in a non-DEBUG deployment. Tighten CORS to specific origins for these admin routes.

Counterpart finding

Settings API allows unauthenticated runtime configuration changes (including API keys and DB creds)

highsecurityhigh
  • backend/app/api/settings.py:119-164
The update_settings endpoint performs sensitive mutations (LLM API keys, Neo4j credentials, webhook URL, public base URL) but contains no authentication/authorization checks or restrictions. Any unauthenticated caller can change server behavior and credentials if this API is internet-exposed.

Recommendation

Enforce authentication/authorization for all settings endpoints, especially POST /api/settings. Options: - Require an admin bearer token/API key checked in a before_request guard. - Gate the entire blueprint behind session-based admin login. - If deployed behind a reverse proxy, still verify auth in-app and/or restrict network access to this route. Additionally, limit which fields can be updated at runtime and audit/log all changes.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗