Skip to content

security: Cache admin endpoints and /metrics are unauthenticated #99

New issue
New issue
Closed
#116
Closed
security: Cache admin endpoints and /metrics are unauthenticated#99
#116
Assignees
jonasyr
@jonasyr

Description

@jonasyr
jonasyr
opened on Nov 14, 2025

Summary

The cache administration routes under /api/commits/cache/* and the Prometheus /metrics endpoint are exposed without any authentication. This is a high-severity
issue: unauthenticated callers can read internal cache/coordination state, list cached repositories, evict caches for arbitrary repos (DoS via cache churn), and scrape
detailed runtime metrics. The previous assumption that these routes were guarded by X-Admin-Token was incorrect in the current code.

Affected versions

  • Branch: main (current workspace)
  • Files:
    • apps/backend/src/routes/commitRoutes.ts:525-619 — cache routes defined with no auth middleware
    • apps/backend/src/index.ts:188-195/metrics mounted with no auth

Impact

  • Integrity/Availability: Unauthenticated POST /api/commits/cache/invalidate forces re-clone/recompute for any repo, enabling cache-thrashing and DoS.
  • Confidentiality: Unauthenticated GET /api/commits/cache/stats and /cache/repositories leak cache topology, hit ratios, coordination metrics, and cached repo
    lists. /metrics leaks process/runtime/app metrics useful for recon and targeted resource exhaustion.

Proof of Concept (no auth headers)

With backend at http://127.0.0.1:3001:

curl -i http://127.0.0.1:3001/api/commits/cache/stats
curl -i http://127.0.0.1:3001/api/commits/cache/repositories
curl -i -H "Content-Type: application/json" \
  -d '{"repoUrl":"https://github.com/torvalds/linux.git"}' \
  http://127.0.0.1:3001/api/commits/cache/invalidate
curl -i http://127.0.0.1:3001/metrics | head -n 20

Observed: all return 200 OK; stats/list data exposed; cache invalidation succeeds; metrics dump accessible.

Code evidence

  • apps/backend/src/routes/commitRoutes.ts:525-619 — routes mounted directly, no auth middleware.
  • apps/backend/src/index.ts:188-195 — metrics handler mounted without auth.

Expected vs Actual

  • Expected: 401/403 without admin credentials; admin-only access for cache admin endpoints and /metrics.
  • Actual: 200 OK for unauthenticated callers; sensitive data and state changes exposed publicly.

Remediation

  1. Add an admin-only auth gate (header token or JWT with role) before /api/commits/cache/* and /metrics.
  2. Add stricter per-route rate limits and audit logging (IP, path, outcome) for these admin endpoints.
  3. Minimize data returned by stats/repositories routes to least necessary for admins.
  4. For /metrics, consider binding to an internal interface/port and removing CORS exposure.

Acceptance criteria

  • Unauthenticated requests to /api/commits/cache/stats, /cache/repositories, /cache/invalidate, and /metrics return 401/403 (or are unreachable from untrusted
    networks).
  • Authenticated admin requests succeed.
  • Tests cover success with admin credentials and failure without for all four endpoints.

Severity

High (unauthenticated administrative/state-changing access and internal observability exposure).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions