Sensitive data exposed to public access

[conf-test]

Hi, I'm security researcher that recently works on your docker image bartim/mediawiki on DockerHub. Since there is no place to report it on DockerHub, I just search and find your repo here and try to report you a security issue on that docker image.

After I set up the image, it seems like some sensitive files and directories are open to public access: composer.json .scrutinizer. yml .gitignore

However, all these files should not be expose. For composer.json, as mentioned in https://www.acunetix.com/vulnerabilities/web/composer-installed-json-publicly-accessible/, it could leak component information to attacker to exploit the vulnerabillities in dependencies.

For /.gitignore, it exposes the developement information like the directory layout. Allow access to git meta data is risky, as mentioned in https://hackerone.com/reports/248693.

The file .scrutinizer. yml also leak informations about the server like the configurations that could be sensitive and risky.

Would it be better to block these access in your docker image? Thanks!

Best, -ct

[EliasHolzmann]

Sorry for not answering earlier.

Thank you for your report, however, as the used software is open source and all dependencies are known to public, I don't consider the public availability of this metadata to be a security risk.