Property:security.lua (restapi)

Name-Collision - multiple objects in this wiki use the name security.lua! security.lua (luascr) REST-API Security security.lua (restapi) REST-API Security

RESTAPI-Script

Goto:   Functions  -  Dependencies   -   Model-Matrix   -   SMW-Browser

security.lua is the REST-API Security checker. It is included by api.lua and api_generic.lua.

It provides a method for checking the access permissions for a given <endpoint> URL and access method (lan, wan).

By default an <endpoint> is denied, and whitelisted by a per <endpoint> access mask assigned in this script.

AVM comments it: Allow-List definition which endpoint with which rights can be accessed.

Security is enabled in ui-module webui:settings/rest_api_endpoint_security, which defaults to 1.
Tests to set it to 0 using ctlmgr_ctl did not work in fw 7.50.

root@fritz1:/var/media/ftp# ctlmgr_ctl r webui settings/rest_api_endpoint_security
1
root@fritz1:/var/media/ftp# ctlmgr_ctl w webui settings/rest_api_endpoint_securityr 0
root@fritz1:/var/media/ftp# ctlmgr_ctl r webui settings/rest_api_endpoint_security
1

This is likely limited to internal development firmware.

REST-API:

• Lexicon: REST, API, SCGI
• Commands: scgi_server
• Ports: Port-8187-tcp
• UI-Mods: webui
• API-Root: api.lua
• Includes: api_generic.lua, rest_config.lua, security.lua, espresso.lua, rest_api_const.lua, response.lua, error.lua
• Includes: avmluamessages.lua, uimod.lua, api_generic_filter.lua, resource.lua, datatype.lua, plugin_common.lua
• Modules: storagenasrights_rest.lua, webusb_rest.lua
• Modules: calllog_rest.lua, faxjournal_rest.lua, phonebook_rest.lua, smarthome_rest.lua, boxnotify_rest.lua
• Develop: obl_fboxname.lua, dev_debug.lua, landevice.lua, query_tree.lua, fake_modules.lua, obl.lua
• Common: array.lua, common.lua, func.lua, math.lua, string.lua, table.lua, typecheck.lua, validcheck.lua
• Plugins: configflags.lua, eventlog.lua, info.lua, monitor.lua, phonebook.lua, smarthome.lua, timermix.lua
• Misc-Plugins: misc.lua, boxname.lua, configuration.lua, handsets.lua, update_status.lua, wan_status.lua
• Setup-Plugins: setup.lua

The function names of scripts often help to understand function blocks (and show gaps in the docs). fw 7.50 functions:

$ grep -e '^function' -e '^local function' /usr/rest_api/security.lua

# Get the user rights from rights UIM.
local function get_user_session_rights()

# Check if the user(session) match any of the given required rights.
local function check_authentication(required_rights)

# Check if rights for endpoints should be checked or not.
local function security_active()

# Checks if the user has the permissions to access the requested url path.
function security.permission(path, access_type) 

Dependencies

Daily updated index of all dependencies of this script. Last update: GMT.
A * in the Mod column marks info from Supportdata-Probes, which will always stay incomplete.
If an Object includes itself then this is a file with the same name but another Path and the dependencies are merged.

Model-Matrix

Daily updated index of the presence, path and size of this script for each model. Last update: GMT.
Showing all models using this script. Click any column header (click-wait-click) to sort the list by the respective data.
The (main/scrpn/boot/arm/prx/atom/rtl) label in the Model column shows which CPU is meant for Multi-Linux models.
Note that this list is merged from Firmware-Probes of all known AVM firmware for a model, including Recovery.exe and Labor-Files.

SMW-Browser