Follow-up to #3308369: Block access to yarn.lock and package.json
Problem/Motivation
#2332029: Add test coverage for .htaccess rules added test coverage to ensure that files with certain extensions cannot be accessed through the browser. However, extending this coverage was missed in #3308369: Block access to yarn.lock and package.json.
It turns out that not only tests for the two new files are missing, but the functionality for yarn.lock seems broken.
Proposed resolution
Fix missing coverage for yarn.lock and package.json.
Fix functionality for yarn.lock.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#15 | 3327115-15.patch | 2.91 KB | alexpott |
| |||
#15 | 11-15-interdiff.txt | 1.78 KB | alexpott |
#11 | htaccess-test-yarnlock-packagejson-3327115-11.patch | 2.9 KB | Eric_A |
|
Comments
Comment #2
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedComment #3
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedComment #4
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedComment #6
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedOops...
Comment #8
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedLooks like the functionality for yarn.lock is in fact broken. Would be a bit embarrassing to enhance the .htaccess in 9.5.0 and 10.0.0 and having to then fix it immediately in 9.5.1 and 10.0.1, so escalating priority to major.
Comment #9
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedI'm really not into regex, but the patch attached seems to improve the situation.
It seems the original patch displaced a $.
Comment #11
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedRight, this is drupal/drupal, not drupal/core.
I had changed the scaffold htaccess, but forgot to change the root .htaccess.
Comment #12
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedComment #13
longwaveThanks for spotting this and adding the test. I agree that the regex is malformed and the
$
and|
have accidentally been added the wrong way round.Comment #14
alexpottI think we need a few more tweaks to be consistent with the
^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$
In fact I think really we should be putting both of these in that part of the rule for consistency... so it should be:
^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$
There are two more things that would be fixed by this... the dot would be escaped and therefore
packageAjson
would not be matched. But also the path would have to be exactly yarn.lock or package.json.Comment #15
alexpottHere's the fix as per #14
Comment #16
xjmComment #17
xjmI thought it might be easier to review the total change to the file from before #3308369: Block access to yarn.lock and package.json, so this is what I did:
Committed the approaches from #11 and #15 to local branches from 10.1.x named "11" and 15".
Compared changes in the relevant files in those branches to
2233484^
, which is the last commit before #3308369: Block access to yarn.lock and package.json, i.e.:.
Here's images of that to compare the two versions in color more easily:
#11
Scaffold file
.htaccess
#15
Scaffold file
.htaccess
Comment #18
xjmOh and since I can, here's the "colorized interdiff" for #15.
I consider this RTBC. If someone else can review and +1, I am also willing to commit this once the tests finish (despite the code freeze) to fix a bad regression for 10.0.0.
Comment #19
effulgentsia CreditAttribution: effulgentsia at Acquia commented#15 looks good to me. RTBC+1.
Comment #20
pandaski CreditAttribution: pandaski commentedDid a manual local test using Apache for testing htaccess.
The following are tested:
D10.0.x and D9.5.x
9.5.0-rc2 and 10.0.0-rc3
Before the patch:
both core/package.json and core/yarn.lock files are accessible with 200.
After the patch (via curl https://www.drupal.org/files/issues/2022-12-14/3327115-15.patch | git apply):
both core/package.json and core/yarn.lock files are 403 Forbidden
Comment #24
xjmThanks @pandaski for the manual test!
The test failure in https://www.drupal.org/pift-ci-job/2545386 is a known random that happens about once a week -- in fact it also just today happened in HEAD in https://www.drupal.org/pift-ci-job/2544788. So that is not blocking.
Committed to 10.1.x, and cherry-picked to 10.0.x and 9.5.x. Thanks!
I don't think this hotfix needs to be in the release notes; we can just use the release note @longwave added to the original issue.
Comment #25
xjmComment #26
Eric_A CreditAttribution: Eric_A at RIVM, Dutch Open Projects commentedThanks!
Realizing just now that there's also web.config. That one looks much less broken. Maybe it needs just the escaping of the dots.
To be honest I didn't really look into that file. Which seems to be a common pattern for many. :-)
Comment #27
xjm@Eric_A I may also forget about it 50% of the time. Including when committing this issue. However, looking at its current code, I think it's OK:
If there's anything not-right about it, let's open a followup? Thanks!
Comment #28
effulgentsia CreditAttribution: effulgentsia at Acquia commentedFWIW, I did check web.config before writing #19, and thought it was okay since it already included yarn.lock and package.json. However, I did miss that the dots weren't escaped there. I don't believe that's a security problem: it just means that web.config is denying access to file names (e.g.,
yarn-lock
) that it doesn't have to deny access to. But a follow-up to make that consistent with what's in .htaccess is worth doing.Comment #30
O'Briat CreditAttribution: O'Briat at Klee Interactive (Klee Group) commentedThis should be send to nginx to update their page about drupal:https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/ (which is by the way an outdated doc).
Here's the fix for nginx:
If I understand it correctly apache match only the last part of the url/filepath (most right directory or filename) but nginx match the whole path.
So in order to deny all
composer.json
,composer.lock
,web.config
,yarn.lock
orpackage.json
, I move this part to specific part of the regex:Could someone test and validate this modification?
As I don't understand what
Entries.*|Repository|Root|Tag|Template
is referring too, it would be nice to document this part.