Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information exposure about contained resources #1567

Open
csarven opened this issue Feb 5, 2021 · 0 comments
Open

Information exposure about contained resources #1567

csarven opened this issue Feb 5, 2021 · 0 comments
Labels
performance security

Comments

@csarven
Copy link
Member

csarven commented Feb 5, 2021
edited
Loading

Given resources:

/foo/
/foo/bar
/foo/baz

where Agent has:

  • Read access to /foo/
  • Read access to /foo/bar
  • No read access to /foo/baz

NSS responds to authorized GET requests to /foo/ which includes statements about /foo/baz (besides containment statements) eg:

<baz>
    html:Resource, ldp:Resource;
    terms:modified "2021-02-05T10:49:07Z"^^XML:dateTime;
    st:mtime 1612522147.974;
    st:size 12.

It'd be preferable to not expose types (besides indicating it is a container or a non-container eg. html:Resource), modified, mtime, size information about /foo/baz since agent is not granted read access to/foo/baz.

See proposed security consideration: solid/specification#228

You may want to consider performance / response times if you follow-up on this change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
performance security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@csarven @timbl