-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect uploads by default #934
Comments
Note that once this is implemented, we should either create an automated end-to-end test, or add a manual Hiptest scenario for it. We already have tests for asset protection itself, the important part here is that uploads are indeed getting this protection through userforms. |
The frustrating part about this is that we had this in place for the 3.x compatible userforms, and then removed it based on wrong assumptions about what functionality is tied to the old securefiles module: https://github.com/silverstripe/silverstripe-userforms/blob/4.6/code/extensions/SecureEditableFileField.php. See 6836174. I believe we should fix this in various ways (layered security):
|
Good idea to indicate that a file has come from a form submission. If each upload field has only one relation to a folder I think the folder should also have an indication it's only used by a form, although folders could contain both files from a form and files which are not from the form currently right? I agree it makes sense to protect the files as a smart default in case the admin doesn't have security awareness, but couldn't the folder still be changed by an admin to un-protect it with its permission being copied down to files? Potential use case... uploading a file to a shared gallery or shared submissions where you want others to be able to view the files/submissions. There was a case a while ago where a council wanted photos uploaded by the public which were instantly public (so the person uploading could see their addition to a collage) and these were reviewed every few hours by admins for inappropriate content. My thoughts:
|
There is no way of ensuring that without non-trivial work around upload validation - we don't have the concept of "exclusive ownership" of a folder for one use case (like userform uploads).
That's why I said this in the ticket description: "I think we should protect the individual file uploads by default, which always overrules their folder permissions:
If we do what I recommend above, that indication is given through the "Who can view this file?" selection on the "Permissions" tab. I'm a bit hesitant adding a "lock" icon or something to the UI on a file-by-file basis, because those additional permission checks with further slow down the response. We already check "canView" for the current user, but not for anonymous users. So there's a couple of things we could do:
I think the first item is MVP, everything else is a bonus where we have to evaluate tradeoffs. @clarkepaul @brynwhyman Thoughts? |
Looking good. For point 1. it might be better if the file linked to the actual form submission and not the page/form it was uploaded to, otherwise it might be hard to figure out which submission it comes from (1000's submissions). |
Alright, thanks for the early investigation here! I'm seeing the following ACs surfacing:
Plus some more implied by the DoD:
Perhaps we could also include something like the following to help with the management of files:
Feedback welcome @chillu @clarkepaul |
"Files uploaded through a userform are always protected on a per-file basis if they are placed in a protected folder"
No, I think that's too restrictive, we just have to make sure that it's very clear if authors pick an unprotected folder there.
Agreed. New AC:
The alternative is that we just remove this ability, but there are cases where userforms are used for anonymous uploads. For example, a council asking for tombstone pictures with a custom moderation queue. This example would continue to work, but it'd require an explicit opt-in. Alternatively, we could just provide event hooks, and it's up to devs to customise the implementation with a |
Re your comment:
So, you're saying this case should only apply if a file is uploaded to a protected folder? Shouldn't we be looking to protect all files by default regardless of the whether the folder is protected? This would go well alongside:
side note: we'll be discussing this issue in a bit more detail with the @silverstripeux team in the next couple of days. I expect we'll probably split out a few of these ACs into different cards too - so we can go a little deeper in to suggested solutions for each. |
No, that would make management of files harder, particularly without good batch abilities in AssetAdmin (only a handful of files at a time). By default, files should inherit from their folder. But userform uploads are particularly "toxic", and given our current CMS UI they might be mistaken. For example, a news author wants to embed the annual report into a news article, and searches for "report". The first result is |
Moving back to |
@bergice @brynwhyman I think this points to a protected channel, can you please outline the rationale here? |
We've moved this issue out of our internal ZenHub backlog while there's focus on defining ACs and digging deeper on related issues:
|
We've recently spent a considerable amount of time on a 'Harden form submission security' epic. Through opportunity and solution investigation this opportunity was not chosen to be developed in favour of the issues noted in my previous comment. With the release of CMS 4.6 and v5.3 of the userforms module the following functionality will be available:
This will be summarised nicely in the upcoming CMS 4.6 release announcement, but ultimately we chose a different path to what's been outlined in this issue description. @chillu are you happy to close this issue in favour of the features soon to be shipped? |
Given the above comment and support for closing from @clarkepaul in this comment, I'm closing this. |
At the moment, this relies on the author setting up the form to select an uploads folder that has been explicitly configured with access restrictions. We warn them on the file field creation dialog, but that really just creates more uncertainty.
By default, uploaded files are stored as public files in
/Uploads
. While this still relies on the file being linked to unauthorised parties, or them guessing the exact URL, that's a bad default. In 4.x, we have per-file access restrictions, so don't need to rely on permission control of the folder containing those files.In addition, folder protections might be inadvertently removed by other authors/admins because they're not aware that this folder contains sensitive user submissions (e.g. due to bad naming). While that could also happen to individual submission attachments, it's far less likely.
Conclusion: I think we should protect the individual file uploads by default, which always overrules their folder permissions. I don't think we need to make this configurable, it should be the new default. If you're building a system that allows unmoderated public file submissions, I don't think userforms is the right choice. Can anyone think of a use case that might explicitly rely on this?
Since this is an additional security measure, I don't think we need to create a task to retroactively apply this to existing submissions. That would be useful, but it's not essential.
Related: Clearly advise how to protect uploaded files
ACs: (todo)
Subtasks (todo)
The text was updated successfully, but these errors were encountered: