Security flaw in collectory api all fields are public

[sadeghim]

There is no authentication/security required for accessing the different fields in the dataresource info API such as : http://collections.ala.org.au/ws/dataResource/dr361

This makes critical information (specially connection properties visible to everyone).

• add a check for apikey to output connectionParameters and gbifRegistryKey.

[djtfmartin]

i think this is fine. The URLs to the underlying data should be blocked with an IP whitelist in Apache

[ansell]

There is no whitelist implemented in the current collectory server. Whitelists are fragile and are already overused in the ALA security model (both logger and auth rely completely on them).

The connectionParameters variable should only be shown to authenticated (apikey) users and access to the /upload/ directory should also be protected by apikey access.

Is the gbifRegistryKey also sensitive?

[nickdos]

gbifRegistryKey is part of the public URL on GBIF site, so not sensitive.

E.g. dr341 has gbifRegistryKey: "0debafd0-6c8a-11de-8225-b8a03c50a862" and GBIF page is https://www.gbif.org/dataset/0debafd0-6c8a-11de-8225-b8a03c50a862 - note same key in URL.