Make BiqueryPollJobAction endpoint internal only (#955)

* Make BiqueryPollJobAction endpoint internal only This endpoint makes use of java object deserialization, which allows a malicious actor to craft a request that can initiate overly broad actions on the server. Since this endpoint is not widely used for operational purposes, limit its authorization to "internal only" so that no user agents (even with admin privs) can access it.
2025-07-25 20:18:34 +02:00 · 2021-02-05 07:50:51 -05:00 · 2021-02-05 07:50:51 -05:00 · 29bf0f3965
commit 29bf0f3965
parent 5100057dd5
4 changed files with 60 additions and 8 deletions
--- a/core/src/test/resources/google/registry/module/backend/backend_routing.txt
+++ b/core/src/test/resources/google/registry/module/backend/backend_routing.txt
@ -24,7 +24,7 @@ PATH                                   CLASS                              METHOD
 /_dr/task/icannReportingUpload         IcannReportingUploadAction         POST     n  INTERNAL,API APP ADMIN
 /_dr/task/nordnUpload                  NordnUploadAction                  POST     y  INTERNAL,API APP ADMIN
 /_dr/task/nordnVerify                  NordnVerifyAction                  POST     y  INTERNAL,API APP ADMIN
-/_dr/task/pollBigqueryJob              BigqueryPollJobAction              GET,POST y  INTERNAL,API APP ADMIN
+/_dr/task/pollBigqueryJob              BigqueryPollJobAction              GET,POST y  INTERNAL     APP IGNORED
 /_dr/task/publishDnsUpdates            PublishDnsUpdatesAction            POST     y  INTERNAL,API APP ADMIN
 /_dr/task/publishInvoices              PublishInvoicesAction              POST     n  INTERNAL,API APP ADMIN
 /_dr/task/publishSpec11                PublishSpec11ReportAction          POST     n  INTERNAL,API APP ADMIN