Security: protect simulation and report update routes from arbitrary writes

[MaxGhenis]

Summary

policyengine-api allows unauthenticated callers to create and mutate simulations and report outputs.

Severity

High

Impact

Any client can create jobs, mark simulations/reports complete or errored, and inject arbitrary output payloads.

Affected code

• policyengine_api/routes/simulation_routes.py:13-212
• policyengine_api/routes/report_output_routes.py:13-198

Details

PATCH handlers accept attacker-controlled status, output, and error_message without auth, request signing, or worker-only verification.

Expected behavior

Only trusted internal workers or authenticated authorized callers should be able to update job/result state.

Suggested remediation

• Gate create/update routes behind auth or internal signing
• Separate public read APIs from internal mutation callbacks
• Add tests proving anonymous mutation is rejected

[MaxGhenis]

Re-verified on origin/master @ 21a26d6: both PATCH endpoints are still public (only @validate_country, no auth / ownership check).

• policyengine_api/routes/simulation_routes.py:138-140

  @simulation_bp.route("/<country_id>/simulation", methods=["PATCH"])
  @validate_country
  def update_simulation(country_id: str) -> Response:

• policyengine_api/routes/report_output_routes.py:133-135

  @report_output_bp.route("/<country_id>/report", methods=["PATCH"])
  @validate_country
  def update_report_output(country_id: str) -> Response:

Any caller can still mutate any simulation or report row by ID. (PR #3399 protects the AI / tracer analysis endpoints but does not touch these writers.)

Side note: both endpoints also silently rewrite api_version on a content-free PATCH — filed as #3449 — which makes the missing auth hole even cheaper to exploit, since a no-op PATCH still counts as a write.