AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[SEC] Redatta chiave API mktg esposta in pagine pubbliche (F1 security audit)

Browse Source 
La chiave di produzione nis2_mktg_... (scope admin:licenses) era in chiaro in
mktg-api-doc.html e integrazioniext.html, servite pubblicamente -> chiunque poteva
ottenere una chiave di gestione licenze B2B. Sostituita con placeholder
nis2_mktg_xxxxx in entrambe le pagine (6 occorrenze totali).

NOTA: la chiave reale va ANCORA RUOTATA nel DB (api_keys) in coordinamento con
mktg-agile, poiche' resta nella history git e potenzialmente nota. Questo commit
elimina solo l'esposizione web continua.

Trovato da audit sicurezza multi-agente (F1, priorita' top).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
DevEnv nis2-agile 2026-05-31 16:16:53 +02:00
parent 54a9c0987f
commit e269fb108f
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
public/integrazioniext.html
View File

@ -558,14 +558,14 @@ curl "https://nis2.agile.software/api/invites/validate?token=inv_a1b2c3..."
<div class="section-title">Per mktg-agile / E-commerce — Quick Start</div> <div class="section-title">Per mktg-agile / E-commerce — Quick Start</div>
<div class="callout"> <div class="callout">
Chiave API già attiva per mktg-agile: <code style="color:#4ade80">nis2_mktg_8c8bd38e78fccb9faa749d8601051f42</code> Chiave API già attiva per mktg-agile: <code style="color:#4ade80">nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</code>
· Scope: <code>admin:licenses</code> · Scade: 2028-03-07 · Scope: <code>admin:licenses</code> · Scade: 2028-03-07
· Doc completa: <a href="/mktg-api-doc.html" style="color:var(--primary)">mktg-api-doc.html</a> · Doc completa: <a href="/mktg-api-doc.html" style="color:var(--primary)">mktg-api-doc.html</a>
· Pannello web: <a href="/licenseExt.html" style="color:var(--primary)">licenseExt.html</a> · Pannello web: <a href="/licenseExt.html" style="color:var(--primary)">licenseExt.html</a>
</div> </div>
<div class="code-block"><span class="cmt"># 1. Crea licenza (mktg-agile → NIS2)</span> <div class="code-block"><span class="cmt"># 1. Crea licenza (mktg-agile → NIS2)</span>
curl -X POST https://nis2.agile.software/api/invites/create \ curl -X POST https://nis2.agile.software/api/invites/create \
-H <span class="str">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \ -H <span class="str">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
-H <span class="str">"Content-Type: application/json"</span> \ -H <span class="str">"Content-Type: application/json"</span> \
-d <span class="str">'{"plan":"professional","duration_months":12,"max_users_per_org":10, -d <span class="str">'{"plan":"professional","duration_months":12,"max_users_per_org":10,
"label":"Ordine MKT-001","channel":"ecommerce","price_eur":990}'</span> "label":"Ordine MKT-001","channel":"ecommerce","price_eur":990}'</span>
@ -574,11 +574,11 @@ curl -X POST https://nis2.agile.software/api/invites/create \
<span class="cmt"># → consegna invite_url al cliente nel messaggio di conferma ordine</span> <span class="cmt"># → consegna invite_url al cliente nel messaggio di conferma ordine</span>
<span class="cmt"># 2. Verifica stato licenza in qualsiasi momento</span> <span class="cmt"># 2. Verifica stato licenza in qualsiasi momento</span>
curl -H <span class="str">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \ curl -H <span class="str">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
"https://nis2.agile.software/api/invites/42" "https://nis2.agile.software/api/invites/42"
<span class="cmt"># 3. Lista licenze attive per canale ecommerce</span> <span class="cmt"># 3. Lista licenze attive per canale ecommerce</span>
curl -H <span class="str">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \ curl -H <span class="str">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
"https://nis2.agile.software/api/invites/list?channel=ecommerce&amp;status=pending"</div> "https://nis2.agile.software/api/invites/list?channel=ecommerce&amp;status=pending"</div>
<div class="callout"> <div class="callout">

4
public/mktg-api-doc.html
View File

@ -110,7 +110,7 @@ table.resp code { background: rgba(255,255,255,.06); padding: .1rem .3rem; borde
<div style="display:grid;grid-template-columns:repeat(auto-fill,minmax(240px,1fr));gap:1rem;margin-bottom:1.25rem"> <div style="display:grid;grid-template-columns:repeat(auto-fill,minmax(240px,1fr));gap:1rem;margin-bottom:1.25rem">
<div style="background:rgba(0,0,0,.25);border-radius:8px;padding:1rem"> <div style="background:rgba(0,0,0,.25);border-radius:8px;padding:1rem">
<div style="font-size:.7rem;color:var(--text-secondary);margin-bottom:.4rem">CHIAVE API (già attiva)</div> <div style="font-size:.7rem;color:var(--text-secondary);margin-bottom:.4rem">CHIAVE API (già attiva)</div>
<code style="font-size:.75rem;color:#4ade80;word-break:break-all">nis2_mktg_8c8bd38e78fccb9faa749d8601051f42</code> <code style="font-size:.75rem;color:#4ade80;word-break:break-all">nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</code>
<div style="font-size:.68rem;color:var(--text-secondary);margin-top:.3rem">Scope: admin:licenses · Scade: 2028-03-07</div> <div style="font-size:.68rem;color:var(--text-secondary);margin-top:.3rem">Scope: admin:licenses · Scade: 2028-03-07</div>
</div> </div>
<div style="background:rgba(0,0,0,.25);border-radius:8px;padding:1rem"> <div style="background:rgba(0,0,0,.25);border-radius:8px;padding:1rem">
@ -146,7 +146,7 @@ table.resp code { background: rgba(255,255,255,.06); padding: .1rem .3rem; borde
<pre style="margin-top:1rem;margin-bottom:0;font-size:.78rem"><span class="cm"># Crea licenza in 1 chiamata:</span> <pre style="margin-top:1rem;margin-bottom:0;font-size:.78rem"><span class="cm"># Crea licenza in 1 chiamata:</span>
curl -X POST https://nis2.agile.software/api/invites/create \ curl -X POST https://nis2.agile.software/api/invites/create \
-H <span class="sv">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \ -H <span class="sv">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
-H <span class="sv">"Content-Type: application/json"</span> \ -H <span class="sv">"Content-Type: application/json"</span> \
-d <span class="sv">'{"plan":"professional","duration_months":12,"label":"Ordine #123","channel":"ecommerce","max_users_per_org":10,"price_eur":990}'</span> -d <span class="sv">'{"plan":"professional","duration_months":12,"label":"Ordine #123","channel":"ecommerce","max_users_per_org":10,"price_eur":990}'</span>