manifest.json is potentially sensitive #2876
Comments
|
Thanks for your question. We have precedent from a related issue regarding sourcemap defaults in Webpacker which can be summarized generally as "assets open by default." While I agree with your assessment "nothing in the default webpacker setup relies on being able to fetch manifest.json from the client", I have found this feature useful for debugging on numerous occasions. If you have access to settings on your webserver, it should be possible to disable public access though I understand that does require extra work on the developer and may not be feasible in all environments. Perhaps making the manifest path easier to customize could be a compromise. |
|
A configuration option would be a good first step, but I still think the default should eventually be changed. I feel that the issue here is qualitatively different from the one about source maps.* This is more like serving a default Apache * something I've been doing and advocating for years now. |
|
I've got a PR for discussion up here - #3152 - see what you think. |
@grncdr, please justify why this is a real security issue. |
|
I'm surprised it needs justifying. If Rails generated public/controllers.txt with a list of all the controllers used in the app, wouldn't that be considered a security issue? |
|
Disclaimer: I monkey-patched Webpacker in my codebase before opening this issue, and plan to migrate away from it in the future, so I personally don't care if webpacker ever does anything about this. I work on a monolith with three different frontends, that all interact with the same underlying domain. By merging all pack manifests into a single publically accessible file, any user of more "public" frontends can easily find the JS that is intended only for the "private" ones. Lucky for me, I've developed the habit of never put anything sensitive in any JS file, so my maximum theoretical exposure is limited to administrative URLs in e.g. The last kind of failure (misunderstanding) is really what I was hoping to address by opening the issue. I don't think most users expect that if they put code in |
I'm not sure I'd classify this as a "security issue" as it's somewhat context sensitive, but I feel it deserves some consideration.
Webpacker uses the WebpackAssetsManifest plugin to communicate the generated filenames from webpack back to Rails for use in view helpers (
javascripts_packs_with_chunks_tagetc). This manifest file will contain entrypoint information about all packs present inapp/javascript/packs, and will be served on the web at/packs/manifest.json.This could be considered a leak of private information if a user has multiple packs and expects that packs are only visible on "private" pages that include them using a view helper.
While obviously it's good practice to avoid committing anything sensitive into any JS file, there are degrees of sensitivity and a single Rails app commonly serves multiple audiences (e.g. users/admins). It might be fine for an authenticated admin to receive some information in a JS bundle that should not be exposed to all users. Currently a user (or security researcher) can trivially view the
manifest.jsonand download all assets for all packs.As far as I can tell, nothing in the default webpacker setup relies on being able to fetch
manifest.jsonfrom the client, so I would propose that webpacker should change it's defaults to generate/read that file from another directory (e.g./config/webpack/manifest.json).What are your thoughts?
The text was updated successfully, but these errors were encountered: