@samjf
It seems that various JSON configuration files are easily viewable by requesting them with a simple GET request. Some examples of these are:
- matomo-domain.example.com/plugins/AbTesting/plugin.json
- matomo-domain.example.com/plugins/CustomVariables/plugin.json
- matomo-domain.example.com/package-lock.json
Some various files I've observed:
- composer.json
- plugin.json
- package-lock.json
There could be useful to an attacker trying to monitor the patch version of Matomo sites, so the access settings should be made less permissive so that JSON files aren't as open to the web.
A useful command to enumerate over these from the core project isfind ./ -iname '*.json' | egrep -v '(vendor|lang|node_modules)'
@tsteur
FYI noticed originally json was added to fix some tests in https://github.com/matomo-org/matomo/commit/903b870466b62e8a655a0f6564d052583c0fb7ec#diff-dddd74c8019f3e240dad1e60bc6ffbdd906ad7fa396b3e272a493f5b4af0c5c7
I suppose we could check through all the tests and see if we can maybe remove json now. package-lock.json we'll soon actually remove from the release directly but then they might still exist when someone uses submodules (which we do in some places so far). Possibly could otherwise also just specifically disallow some json files like plugin.json and package.json etc
So here we'll remove json from https://github.com/matomo-org/matomo/commit/903b870466b62e8a655a0f6564d052583c0fb7ec#diff-dddd74c8019f3e240dad1e60bc6ffbdd906ad7fa396b3e272a493f5b4af0c5c7 and check if tests still pass. If that's the case we could proceed. If tests don't pass, comment here what the problem is and likely we won't do anything in that case.