Kirby Panel requests composer.json which triggers WAF #6878
Comments
|
IIRC, the whole point of this is a security check and testing whether that file is exposed. It's meant to fail, no? So the only way to fix it would be to disable all of those security checks. |
|
I am also not sure if I understand your issue @gitlabisbetterthangithub
This whole check is about testing whether the composer.json is accessible - it would be bad if it is, so the request is intend to fail. Testing another file would negate this security check as it is specifically about the composer.json. |
|
The whole Kirby folder is supposed to be inaccessible, correct? Couldn't we change the file from If This change still checks to see if the Kirby folder is exposed but won't trigger the WAF to block the user for checking a restricted file name. -- My problem is that the WAF will block the IP address of the Panel user who has clicked on the System tab because this security check is done in the background automatically. Perhaps an option in the config.php file for changing what security checks are performed or an option to stop automatically checking (& instead have a button). As a workaround, I've disabled the System view for normal users but I still would like to access this page without automatically being blocked by the WAF due to the Panel checking composer.json Let me know if you still don't fully understand. I might be able to do a screen recording |
|
I had the pleasure to work around a WAF before (in a different case, but still), so I agree in the first step we should switch to a different file path to check. Maybe even something simple like One check we won't be able to adapt though: So I think it could be a two-step fix:
|
Description
Loading the Systems view in the Panel will trigger Kirby to check if certain sensitive files are exposed, such as /kirby/composer.json, however these checks are done on the client side which can lead to the firewall on the server blocking the IP address of the Panel user because the Panel tried to request known sensitive files.
In my situation, the Web Application Firewall used is bitninja.io which will block IP addresses that try to access any of these files: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/restricted-files.data
This list includes composer.json, the file that Kirby tries to access to see if the Kirby folder is exposed.
Rather than requesting composer.json from the kirby folder, it would be better if Kirby tested a different file. This would mitigate the problem caused by requesting sensitive files that a WAF might block while still allowing Kirby to check if the kirby file is exposed.
I'm well aware that this bug could be resolved by disabling the WAF rule, but I believe that given that this problem could be an issue for others and that Kirby can develop a workaround, it would be better to change the code to accommodate this situation.
Expected behavior
While this bug largely depends on the environment that Kirby is deployed in, Kirby shouldn't be requesting known file paths that web application firewalls may treat as malicious, especially when making the request in the front-end (browser)
To reproduce
You won't be able to reproduce this bug unless you have a WAF that blocks /kirby/composer.json
Your setup
Kirby Version
4.5.0
Console output
The text was updated successfully, but these errors were encountered: