Mass form submission

[gpsilv4]

The application data.gouv.fr provides forms that are not protected against automation of submissions on the pages:

• /api/1/datasets/ (Admin > + > A dataset)
• /api/1/reuses/ (Admin > + > One reuse)
• /api/1/organizations/ (Administration > + > An organization)
• /api/1/harvest/sources/ (Administration > + > A harvester)

Note: Although authentication is required, any user can create an account (with administrative access by default) and create these requests.

In this way, an attacker could degrade the service, as they would overload the server with a large amount of element creation. Furthermore, these submissions create entries on the page with public access.

Suggestion:
Implementation of a control against automation of form submission, for example, (if applicable) through the implementation of a CAPTCHA system (Completely Automated Public Turing test to tell Computers and Humans Apart), or limiting the submission speed (rate- limiting).

[maudetes]

The API being opened, the automation of POST submission is a feature of udata open data platform, used by many data producers.
However, configuring a rate-limiting (ex nginx rate-limiting) to prevent an overload is the recommended way to go if you want to prevent mass submition on your instance.