Contrib.social

Add "restrict access" to the "access security review list" permission

Open on Drupal.org →
Created on 4 December 2024, 7 months ago

Problem/Motivation

The "access security review list" permission allows seeing security check results, which can contain sensitive information about the website (path of unprotected folders, etc.).

The README correctly says:

NOTICE: This module provides information on the state of your site's security so
it is imperative you grant these permissions to trusted roles and users only.
For instance, if you have an admin role, be sure that all the users who have
been granted this role are indeed users you trust if you grant them these
permissions.

But in security_review.permissions.yml, these permissions don't have restrict access: true so Drupal doesn't know they are dangerous.

Proposed resolution

Add the "restrict access" flag to the "access security review list" permission.

(This has been discussed privately with the security team and it was decided it could be handled publicly.)

📌 Task
Status

Active

Version

3.1

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @prudloff
  • Comment 7 months ago
    🇺🇸United States smustgrave
  • Merge request !81Add restrict access to permission → (Open) created by prudloff
  • Assigned to smustgrave
  • Pipeline finished with Success
    4 months ago
    Total: 327s
    #438215
  • Comment 4 months ago
    🇫🇷France prudloff Lille
  • Status changed to RTBC 4 days ago
  • Comment 4 days ago
    🇺🇸United States greggles Denver, Colorado, USA

    LGTM. Thanks.

  • Comment 4 days ago
    🇺🇸United States greggles Denver, Colorado, USA

    I will add my take: this doesn't feel exactly right to me from the perspective of Drupal's philosophy of restrict access. An attacker with access to a site that has a vulnerable configuration can already exploit it, regardless of the security_review report access. In fact, an attacker could look at the code of security_review on drupal.org for ideas of things to check even if the module is not installed. Restricting this access does make it less likely an attacker will find vulnerabilities and there are enough people who think this makes sense that I'm OK with the idea.

  • Comment 4 days ago
    🇫🇷France prudloff Lille

    In fact, an attacker could look at the code of security_review on drupal.org for ideas of things to check even if the module is not installed.

    I think it is true for most of the checks, but some checks could reveal information that would not be available (or hard to acquire) without this module.
    For example TemporaryFiles provides a list of sensitive files that could be downloaded. Without this information it could be possible to brute force the file name but if the file name is unusual it would be much harder.

  • Comment 4 days ago
    🇺🇸United States greggles Denver, Colorado, USA

    Yes, that's a great point in favor of continuing with the commit.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024