Problem/Motivation
This is a great module and functionally works well.
However, I have a concern about rolling this out to a client's site due to media entity ID enumeration. It's possible that once it's known that this module is enabled, it's then possible to write a bot or manually enumerate through IDs on the URL pattern /media/{media_id}/download. This isn't big news and has been the case with Drupal since day one, e.g. the node/{node} pattern, etc. Of course, there's access control in place, but we'd still rather not expose a mechanism where a variety of media resources could be easily enumerated from the website.
For the avoidance of doubt, I'm not suggesting this is critical vulnerability, but it is a point of concern and a weakness in the incrementing IDs design pattern that is all over the place.
Steps to reproduce
- Enable this module
- Let your hacker friend know you're using this module
- Stand by as they build a bot to pull down all of your media items from your website
- Profit? π
Proposed resolution
Allow an alternative mechanism to allow downloads by using media entity UUIDs under a different download URL while leveraging the core functionality of the DownloadController::download()
.
Remaining tasks
I've created a fork and added a merge request, awaiting feedback from the community and/or maintainers/
User interface changes
Extra option provided in DownloadLinkFieldFormatter to select the URL type - either 'id', or 'uuid' in Manage Display. For existing sites, ID is the assumed default.
API changes
Updated schema to add a new url_type property for the DownloadLinkFieldFormatter
Existing sites will see this new key when exporting config.