Summary
The API documents the feedback endpoint:
# Request
{ "alert_id": "alert_001", "correct": false, "note": "Normal employee" }
This endpoint allows callers to mark security alerts as correct or incorrect. It is designed for authorized security personnel to provide ground-truth feedback to improve Eagle's accuracy over time.
However, there is no authentication or authorization on this endpoint. The consequence:
- Alert poisoning: An attacker who discovers the API URL (trivial via port scanning or network interception) can call
POST /feedback with "correct": false on every real suspicious alert, systematically teaching Eagle that true positives are false positives
- Training data corruption: If Eagle uses feedback for fine-tuning or threshold adjustment, poisoned feedback degrades the model's precision over time — the exact opposite of the endpoint's purpose
- Operational impact: Security teams that rely on Eagle's alert stream would lose confidence in a system whose feedback loop can be manipulated by anyone with network access
This is especially concerning in a system where the README says alerts are being used for arrest rate improvement (87% arrest rate via Honeypot system).
Proposed Fix
Add API key authentication to the feedback endpoint:
from fastapi.security import APIKeyHeader
from fastapi import Security, HTTPException
API_KEY_HEADER = APIKeyHeader(name="X-Eagle-API-Key", auto_error=True)
VALID_API_KEYS = set(os.environ.get("EAGLE_API_KEYS", "").split(","))
async def verify_api_key(api_key: str = Security(API_KEY_HEADER)):
if api_key not in VALID_API_KEYS:
raise HTTPException(status_code=403, detail="Invalid or missing API key")
return api_key
@router.post("/feedback")
async def submit_feedback(
request: FeedbackRequest,
_: str = Depends(verify_api_key) # ← Require authenticated caller
):
...
Document EAGLE_API_KEYS (comma-separated list of valid keys) in .env.example.
Acceptance Criteria
Labels: security, backend, priority: critical
Summary
The API documents the feedback endpoint:
This endpoint allows callers to mark security alerts as correct or incorrect. It is designed for authorized security personnel to provide ground-truth feedback to improve Eagle's accuracy over time.
However, there is no authentication or authorization on this endpoint. The consequence:
POST /feedbackwith"correct": falseon every real suspicious alert, systematically teaching Eagle that true positives are false positivesThis is especially concerning in a system where the README says alerts are being used for arrest rate improvement (87% arrest rate via Honeypot system).
Proposed Fix
Add API key authentication to the feedback endpoint:
Document
EAGLE_API_KEYS(comma-separated list of valid keys) in.env.example.Acceptance Criteria
POST /feedbackrequires a validX-Eagle-API-KeyheaderEAGLE_API_KEYSdocumented in.env.examplewith generation instructionsPOST /ingest, etc.) audited for similar missing authLabels:
security,backend,priority: critical