Secure dev endpoints that could be used to crash open NZBHydra instances

Closes #923
theotherp · Mar 18, 2024 · ae06410 · ae06410
1 parent 6252cce
commit ae06410
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/core/src/main/java/org/nzbhydra/DevEndpoint.java b/core/src/main/java/org/nzbhydra/DevEndpoint.java
@@ -26,6 +26,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.http.MediaType;
 import org.springframework.security.access.AccessDeniedException;
@@ -41,6 +42,7 @@
 import java.util.List;
 
 @SuppressWarnings("unchecked")
+@Secured({"ROLE_ADMIN"})
 @RestController
 public class DevEndpoint {
 
@@ -52,29 +54,31 @@ public class DevEndpoint {
     private ConfigProvider configProvider;
     @Autowired
     private ApplicationEventPublisher applicationEventPublisher;
+    @Value("${nzbhydra.devMode}")
+    private boolean devMode;
 
     private static final Logger logger = LoggerFactory.getLogger(DevEndpoint.class);
 
-    @Secured({"ROLE_ADMIN"})
+
     @RequestMapping(value = "/dev/countDanglingIndexersearches", method = RequestMethod.GET)
     public BigInteger countDanglingIndexersearches() throws Exception {
         final List<BigInteger> resultList = entityManager.createNativeQuery("select count(*) from SEARCHRESULT x where x.INDEXERSEARCHENTITY not in (select y.id from INDEXERSEARCH y)").getResultList();
         return resultList.get(0);
     }
 
-    @Secured({"ROLE_ADMIN"})
+
     @RequestMapping(value = "/dev/throwException", method = RequestMethod.GET)
     public BigInteger throwException() throws Exception {
         throw new RuntimeException("test");
     }
 
-    @Secured({"ROLE_ADMIN"})
+
     @RequestMapping(value = "/dev/throwAccessDeniedException", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
     public BigInteger throwAccessDeniedException() throws Exception {
         throw new AccessDeniedException("test");
     }
 
-    @Secured({"ROLE_ADMIN"})
+
     @Transactional
     @RequestMapping(value = "/dev/deleteDanglingIndexersearches", method = RequestMethod.GET)
     public String deleteDanglingIndexersearches() throws Exception {
@@ -83,6 +87,9 @@ public String deleteDanglingIndexersearches() throws Exception {
 
     @RequestMapping(value = "/dev/testAddToSonarr", method = RequestMethod.GET)
     public String testAddToSonarr() throws Exception {
+        if (!devMode) {
+            return null;
+        }
         final AddRequest addRequest = new AddRequest();
         addRequest.setAddTorrent(false);
         addRequest.setAddUsenet(false);
@@ -95,7 +102,7 @@ public String testAddToSonarr() throws Exception {
         return "OK";
     }
 
-    @Secured({"ROLE_ADMIN"})
+
     @RequestMapping(value = "/dev/sendIndexerDisabledNotification", method = RequestMethod.GET)
     public void sendIndexerDisabledNotification() {
         applicationEventPublisher.publishEvent(new IndexerDisabledNotificationEvent(configProvider.getBaseConfig().getIndexers().get(0).getName(), IndexerConfig.State.DISABLED_SYSTEM_TEMPORARY, "Some message generated by hydra"));
@@ -108,9 +115,11 @@ public void sendIndexerDisabledNotification() {
         applicationEventPublisher.publishEvent(new IndexerDisabledNotificationEvent(configProvider.getBaseConfig().getIndexers().get(0).getName(), IndexerConfig.State.DISABLED_SYSTEM_TEMPORARY, "Some message generated by hydra8"));
     }
 
-
     @RequestMapping(value = "/dev/crash", method = RequestMethod.GET)
     public void crashHard() throws Exception {
+        if (!devMode) {
+            return;
+        }
         Field f = Unsafe.class.getDeclaredField("theUnsafe");
         f.setAccessible(true);
         Unsafe unsafe = (Unsafe) f.get(null);