Impact
It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems.
Patches
The problem can be fixed by applying f730433 (which depends on 916531d) to any Hydra package.
Patches for the nixpkgs packages are here:
Workarounds
Deny the /api/push route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend.
References
The initial finding was documented here: https://mastodon.delroth.net/@delroth/113029832631860419
Impact
It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems.
Patches
The problem can be fixed by applying f730433 (which depends on 916531d) to any Hydra package.
Patches for the nixpkgs packages are here:
Workarounds
Deny the
/api/pushroute in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend.References
The initial finding was documented here: https://mastodon.delroth.net/@delroth/113029832631860419