Skip to content

Address reported security issues in the panoramapublic module#655

Open
vagisha wants to merge 2 commits into
release26.3-SNAPSHOTfrom
26.3_fb_panoramapublic-security
Open

Address reported security issues in the panoramapublic module#655
vagisha wants to merge 2 commits into
release26.3-SNAPSHOTfrom
26.3_fb_panoramapublic-security

Conversation

@vagisha

@vagisha vagisha commented Jun 30, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Rationale

A security review of the panoramapublic module identified three issues. Two are addressed here. The third is noted below as out of scope by decision.

Changes

Test actions globally swap the NcbiPublicationSearchService singleton with no audit event (Informational)

  • The three Selenium-test support actions (SetupMockNcbiServiceAction, RestoreNcbiServiceAction, RegisterMockPublicationAction) swap a process-wide singleton. They are @RequiresSiteAdmin but otherwise reachable in production, and extended ReadOnlyApiAction, which does no CSRF check and is reachable by a plain GET.
  • Added requireDevModeForMockNcbiService(): the actions now return 404 on a non-dev-mode server. Dev machines and TeamCity run in dev mode, so tests are unaffected.
  • Changed the three actions from ReadOnlyApiAction to MutatingApiAction, since they mutate global state, which also requires a POST with a CSRF token.
  • The report suggested adding an audit event or compiling these out of production builds. On review we found that gating them to dev mode is a better fix, since it removes the production attack surface entirely rather than just recording the swap.

Uses System.out instead of Log4J2 (Informational)

  • ExperimentModificationGetter: removed System.out helpers printStructuralMod and printIsotopicMod and their call sites.

Tests

  • PublicationSearchTest: invoke the three mock-NCBI actions with SimplePostCommand instead of SimpleGetCommand.

Not in scope (by decision)

  • The spectral-library source password stored unencrypted in panoramapublic.speclibinfo (the third finding) is deferred. The value is masked on display to non-site-admins, and the at-rest risk is acceptable. We intend to remove this column in future work.

vagisha and others added 2 commits June 29, 2026 16:57
@vagisha @claude
Restricted mock NCBI publication search test actions to dev mode
5a4c48e 
* The three actions (SetupMockNcbiService, RestoreNcbiService, RegisterMockPublication) swap a process-wide service and were reachable on production via a forge-able GET (ReadOnlyApiAction does no CSRF check), despite @RequiresSiteAdmin
* Added requireDevModeForMockNcbiService(): the actions now return 404 in non-dev mode
* Changed actions to MutatingApiAction (correct type for state mutation; also enforces a CSRF token)
* Updated PublicationSearchTest to use SimplePostCommand; verified passing with the mock (POST path) and against real NCBI

Co-Authored-By: Claude <noreply@anthropic.com>
@vagisha
Removed unused System.out helpers (printStructuralMod, printIsotopicM…
aec9577 
…od) from ExperimentModificationGetter.TestCase
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes
@ankurjuneja ankurjuneja Awaiting requested review from ankurjuneja

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vagisha @labkey-jeckels