Summary
policyengine-api allows unauthenticated callers to create and mutate simulations and report outputs.
Severity
High
Impact
Any client can create jobs, mark simulations/reports complete or errored, and inject arbitrary output payloads.
Affected code
policyengine_api/routes/simulation_routes.py:13-212policyengine_api/routes/report_output_routes.py:13-198
Details
PATCH handlers accept attacker-controlled status, output, and error_message without auth, request signing, or worker-only verification.
Expected behavior
Only trusted internal workers or authenticated authorized callers should be able to update job/result state.
Suggested remediation
- Gate create/update routes behind auth or internal signing
- Separate public read APIs from internal mutation callbacks
- Add tests proving anonymous mutation is rejected
Summary
policyengine-apiallows unauthenticated callers to create and mutate simulations and report outputs.Severity
High
Impact
Any client can create jobs, mark simulations/reports complete or errored, and inject arbitrary output payloads.
Affected code
policyengine_api/routes/simulation_routes.py:13-212policyengine_api/routes/report_output_routes.py:13-198Details
PATCHhandlers accept attacker-controlledstatus,output, anderror_messagewithout auth, request signing, or worker-only verification.Expected behavior
Only trusted internal workers or authenticated authorized callers should be able to update job/result state.
Suggested remediation