Contrib.social

Security concerns storing values in the database

Open on Drupal.org β†’
Created on 23 April 2024, 2 months ago
Updated 25 June 2024, about 7 hours ago

I have been using this module on several personal sites for a hot minute, and love it. It was recently brought to my attention that there is, however, an inherent security concern/consideration simply because the assets are stored within the database, and for that reason it's unsuitable for some higher security requirement sites.

So, baring my ignorance here - what is the nature of the security concerns? Is the vulnerability limited only to users with access to create asset files? I'm assuming because the css/js is stored in the db, it could potentially allow malicious users to inject bad things - but that would necessitate a pre-existing db permissions writing vulnerability, correct?

Following... would there be a way to negate or minimize any such existing concerns by providing some sort of additional encryption or wrapping process where the final files used are stored in config?

Apologies in advance for not quite working this all out in my head beforehand.

πŸ’¬ Support request
Status

Closed: works as designed

Version

2.0

Component

Documentation

Created by

πŸ‡ΊπŸ‡ΈUnited States W01F

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @W01F
  • Comment 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pookmish

    Any security concerns are handled by the security advisory process β†’ . Also, as mentioned on the module information "This module is definitely not a replacement for full-fledged theming" and standard theme development is recommended for long term stability.

    That being said, any concerns with storing the CSS/JS in the database is arguably minimal compared to any other data stored, such as user data, privileged content data, etc. If a user has access to manipulate data in the database, they have greater access to obtain more sensitive information. The permissions to edit via the UI is configured to be "restricted" and therefore there is a warning when granting permissions that there is a security concern with the message "Warning: Give to trusted roles only; this permission has security implications", therefore, any risk is assumed by the site administrator granting such a permission.

    Can you encrypt the data that is stored in the DB, sure. You can implement your own hooks such as hook_entity_presave and hook_entity_load and encrypt/decrypt the data stored in the DB. If you are concerned about the risk of the generated CSS/JS files, I will refer back to my first point and suggest standard theme practices. Drupal's CSS/JS aggregation as well as browser loading requires a static file to be available, so there's no other option than to have these saved to the file system upon page load.

  • Comment 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States W01F

    Thank you very much! That is extremely helpful and I will continue to dive more into this in the coming weeks. As I said, I'm already using and enjoy this on a few sites already in cases where the content editors want an easy way to add some of their own CSS/JS and understand the general implications - risks and best practices.

  • Comment 22 days ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    @pookmish unclear how to proceed here. Should we close this works as designed?

  • Status changed to Closed: works as designed about 7 hours ago
  • Comment about 7 hours ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pookmish
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024