Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor/composer/installed.json is exposed publicly #17378

Closed
fmarier opened this issue Mar 23, 2021 · 3 comments · Fixed by matomo-org/matomo-package#126
Closed

vendor/composer/installed.json is exposed publicly #17378

fmarier opened this issue Mar 23, 2021 · 3 comments · Fixed by matomo-org/matomo-package#126
Assignees
@sgiehl
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
4.3.0

Comments

@fmarier
Copy link

fmarier commented Mar 23, 2021

Despite the recommended Nginx configuration explicitly denying files under vendor/, Matomo ends up serving up the vendor/composer/installed.json file due to a separate vendor/.htaccess config blurb:

# Allow to serve static files which are safe
<Files ~ "\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$">
		Require all granted
</Files>

which is generated by this code.

It would be preferable to keep that file private since it reveals exact versions of packages installed on a server. For example: https://demo.matomo.cloud/vendor/composer/installed.json
@fmarier fmarier added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label Mar 23, 2021
@sgiehl sgiehl added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. and removed Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. labels Mar 23, 2021
@Findus23
Copy link
Member

At least in the nginx config this was intentional. I ordered the blocks so that in ~ ^/(config|tmp|core|lang) every request is blocked while in ~ ^/(libs|vendor|plugins|misc/user|node_modules) the static files you list are allowed.

I don't think the composer/installed.json is any issue as everyone can also see it publicly on this repository or download it from the matomo.zip. But it might not be necessary to share the vendor/ directory, so you can try out to move it to the other block (or change the .htaccess) and see if anything breaks.

@tsteur tsteur added this to the 4.3.0 milestone Mar 23, 2021
@tsteur
Copy link
Member

tsteur commented Mar 23, 2021

We could simply exclude it from the release zip as discussed (also similar files) and in general any composer.json, installed.json, package json...

@sgiehl
Copy link
Member

sgiehl commented Mar 25, 2021

actually composer.json and package.json are already removed. Seems only installed.json is missing. Will prepare a PR to fix this.

@sgiehl sgiehl self-assigned this Mar 25, 2021
@sgiehl sgiehl mentioned this issue Mar 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgiehl sgiehl

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
4.3.0
Development

Successfully merging a pull request may close this issue.

Remove installed.json from build matomo-org/matomo-package
4 participants
@fmarier @tsteur @sgiehl @Findus23