The current ResultsDB is coded such that anyone with network access can add/delete/modify results. While I don't expect malicious action, this seems to be an open invitation for someone to figure out that they can write data without auth and fill our db with spam.
The long term solution here will be to have some sort of API auth but for the near future, we can restrict POST,PUT,DELETE to specific IPs/hosts and leave GETs open to not hamper other usages of resultsdb.
This is mostly done. Fix in apache config files has been pushed to our ansible repo and is running on resultsdb-stg.cloud.
https://bitbucket.org/fedoraqa/ansible-playbooks/commits/f125eca0fb1603c6ba61ae25984eea08bb28867c
This fix still needs to be put into infra's ansible repo, though
This has been fixed in infra's ansible repo, closing task as complete
http://infrastructure.fedoraproject.org/cgit/ansible.git/commit/roles/taskotron/resultsdb-backend/templates/resultsdb.conf.j2?id=3e4a4775404eb0d4a2942a92a37221768d9732e5
Login to comment on this ticket.