CMSExternalLinksController has no access restriction

[maxime-rainville]

This issue initially went through our security issue triage process, but we concluded it had no impact so we will fix it in the open. https://github.com/silverstripe-security/security-issues/issues/171

Description

I was in the process of drafting an issue about how the way we handle API endpoint creation in the CMS is garbage and could lead to vulnerabilities ... when I found a vulnerability in one of our API endpoints.

CMSExternalLinksController is the controller that is used to trigger the broken links report generation. It is wide open to anyone. It doesn't even try to check if you are logged in.

Replication step

Make sure you are not logged in
Go to a CMS site and access `/admin/externallinks/start`

Actual results: External broken link report job is created.
Expected results: Your access is denied.

Same thing happens for admin/externallinks/getJobStatus

Severity
No critical bit of data is exposed. The getJobStatus endpoint lists the job status and that's it. e.g.:

{"TrackID":2,"Status":"Running","Completed":0,"Total":12}

Still, I think it's reasonable to expect that only a CMS user should be able to create broken link jobs and fetch their status.

While this is not great, we concluded it doesn't have any impact because all this does is disclose the ID of a pointless job. The Job itself us set up so it can not be run over and over again.

Acceptance criteria

• Only users with the CMS can call any action on CMSExternalLinksController
• The fix is targeted to Silverstripe CMS 4.

PR

• ENH Restrict access to getJobStatus execution #113

[emteknetnz]

Linked PR has been merged