Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google app engine: security of cron jobs

Tags:

security

cron

google-app-engine

GAE provides cron jobs for scheduled jobs. How do I set some security to prevent someone from executing the http GET directly? In the following example, I can type /updateData anytime in the url field of a browser to execute the job in the following settings:

cron:
- description: daily update of the data in the datastore
  url: /updateData
  schedule: every day 00:00
  timezone: ...
like image 764
Randy Tang Avatar asked Jan 07 '13 10:01

Randy Tang

People also ask

What is cron job in Google App Engine?

Stay organized with collections Save and categorize content based on your preferences. The App Engine Cron Service allows you to configure regularly scheduled tasks that operate at defined times or regular intervals. These tasks are commonly known as cron jobs.

When should you not use cron jobs?

A few problems with cron: Smallest resolution is 1 minute—If a task needs to run every 30 seconds, you can't do it with cron. Error handling—If a job fails, what should happen? Solutions have been built to solve this single problem. Developers love adding more band-aids rather than admitting there is a better way.

What is * * * * * In cron job?

What does * mean in Cron? The asterisk * is used as a wildcard in Cron. * sets the execution of a task to any minute, hour, day, weekday, or month.

How do I track a cron job?

You can find them in /var/spool/cron/crontabs. The tables contain the cron jobs for all users, except the root user. The root user can use the crontab for the whole system. In RedHat-based systems, this file is located at /etc/cron.

2 Answers

In addition to what Paul C said you could create a decorator that checks the X-Appengine-Cron header as illustrated below. Btw, the header can't be spoofed, meaning that if a request that hasn't originated from a cron job has this header, App Engine will change the header's name. You could also write a similar method for tasks, checking X-AppEngine-TaskName in this case.

"""
Decorator to indicate that this is a cron method and applies request.headers check
"""
def cron_method(handler):
    def check_if_cron(self, *args, **kwargs):
        if self.request.headers.get('X-AppEngine-Cron') is None:
            self.error(403)
        else:
            return handler(self, *args, **kwargs)
    return check_if_cron

And use it as:

class ClassName(webapp2.RequestHandler):
    @cron_method
    def get(self):
        ....
like image 147
nizz Avatar answered Oct 17 '22 16:10

nizz

You need to add

login: admin

to the hander, as detailed here: Securing URLS for Cron

E.G.

application: hello-cron
version: 1
runtime: python27
api_version: 1

handlers:
- url: /updateData
  script: reports.app
  login: admin
like image 6
Paul Collingwood Avatar answered Oct 17 '22 17:10

Paul Collingwood
Sign in to Comment

Related questions

Securely serving images
How does a reduction function used with rainbow tables work?
OSSEC | How to add an exception rule
How should I store a password salt?
How can I use PHP's various XML libraries to get DOM-like functionality and avoid DoS vulnerabilities, like Billion Laughs or Quadratic Blowup?
Does TLS ensure message integrity and confidentiality of data transmission in a RESTful Java enterprise
Best practices for keeping the web server data protected
Read/write to NFC tag with password protection
How to create directory with all rights granted to everyone
What's the size of an ASP.NET 3.5 session ID?
Custom certificate validation in WCF service
Symfony2 http_basic security rejects valid credentials
About how fast can you brute force PBKDF2?
Good Php Framework for strong security [closed]
With contextIsolation = true, is it possible to use ipcRenderer?
Is there a risk of a Ruby gem acting like a trojan?
Securing your Data Layer in a C# Application
Where to use mysql_real_escape_string to prevent SQL Injection?
How do I protect OAuth keys from a user decompiling my project?
Getting the CurrentUserID from Websecurity directly after login (C#/ASP.NET)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!