From 8a2d9f3e23f2dc1956cb6f93a50ab3f71e48408b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 1 Sep 2024 14:01:23 +0200 Subject: [PATCH] api.schedule: abort early in _require_video_api_key if key is missing/empty in config If we don't have that, the code will happily compare "" against "", which is true, leading to an authentication bypass vulnerability. --- apps/api/schedule.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/api/schedule.py b/apps/api/schedule.py index 29e971f3c..cf26c7b77 100644 --- a/apps/api/schedule.py +++ b/apps/api/schedule.py @@ -17,6 +17,9 @@ def _require_video_api_key(func): @wraps(func) def wrapper(*args, **kwargs): + if not app.config.get("VIDEO_API_KEY"): + abort(401) + auth_header = request.headers.get("authorization", None) if not auth_header or not auth_header.startswith("Bearer "): abort(401)