Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Secure SignalR WorkflowInstanceHub to Require Authentication #6084

Open
sfmskywalker opened this issue Oct 31, 2024 · 1 comment
Open

[SECURITY] Secure SignalR WorkflowInstanceHub to Require Authentication #6084

sfmskywalker opened this issue Oct 31, 2024 · 1 comment
Labels
bug Something isn't working
Milestone
Elsa 3.2.2

Comments

@sfmskywalker
Copy link
Member

Problem

The WorkflowInstanceHub currently accepts anonymous requests, which poses a security risk by allowing unrestricted access to SignalR endpoints. To improve security, we need to enforce authentication for all requests to this hub.

Solution

  1. Update WorkflowInstanceHub to require authenticated requests.
  2. Modify Elsa.Studio to ensure that the SignalR client includes authentication tokens or necessary credentials with each request.

Acceptance Criteria

  • WorkflowInstanceHub no longer accepts unauthenticated requests.
  • Elsa.Studio SignalR client successfully connects to the hub with authenticated requests.
@sfmskywalker sfmskywalker added bug Something isn't working prio immediate An urgent issue which must be addressed immediately labels Oct 31, 2024
@sfmskywalker sfmskywalker added this to the Elsa 3.2.2 milestone Oct 31, 2024
@sfmskywalker
Copy link
Member Author

sfmskywalker commented Oct 31, 2024
edited
Loading

🚨 Urgent Security Advisory for Elsa Workflows Developers

A critical security vulnerability has been discovered in Elsa Workflows that requires your immediate attention. To mitigate this vulnerability and secure your system, please take the following actions without delay:

Action Required

  1. Open your Elsa Workflow Server project.
  2. Locate and comment out the following lines of code: 
    elsa.UseRealTimeWorkflows();
app.UseWorkflowsSignalRHubs();

This measure will help close the security hole that has been identified.

Failure to take this action may leave your application exposed to potential exploits.

Elsa Studio will remain functionally operational, as it will fall back to a polling mechanism instead of realtime updates via SignalR.

@sfmskywalker sfmskywalker removed the prio immediate An urgent issue which must be addressed immediately label Dec 15, 2024
@sfmskywalker sfmskywalker mentioned this issue Dec 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
ELSA 3
Status: No status
Milestone
Elsa 3.2.2
Development

No branches or pull requests
1 participant
@sfmskywalker