Insecure Filters

[mkovacek]

• Deny All rule: If I'm not wrong glob is deprecated and URL should be used instead

/0001 { /type "deny" /glob "*"} => /0001 { /type "deny" /url "*" }

• content grabbing rules: not secure enough (more selectors should be covered) /006 { /type "deny" /path "/content/*" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)' /extension '(json|xml|html)' } => /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|jcr:content|_jcr_content|search|childrenlist|ext|assets|assetsearch|[0-9-]+)' /extension '(json|xml|html|feed)'

Would be good to verify rules before they are recommended with some popular tools like:

• https://github.com/escalate/aem-dispatcher-security-scan
• https://github.com/0ang3el/aem-hacker

and provide secure starting point configuration

[anujkapo]

Thanks, @mkovacek. We will take a look.

[anujkapo]

@adobe export issue to Jira project CQDOC

[github-jira-sync-bot]

:white_check_mark: Jira issue CQDOC-18267 is successfully created for this GitHub issue.