SECURITY ISSUE: Cache-Control headers are set on "public" on the download log file

[wjstraver]

Hi all,

With a pentest we just discovered a big security with using this package behind a CDN.

If you want to download the log file, it will do so on a url which looks like this: my-site.example/nova-vendor/KABBOUCHI/logs-tool/logs/laravel.log?time=1660030658425.

This will call the following controller method:

    public function show($log, Request $request)
    {
        if (! LogsTool::authorizedToDownload($request)) {
            abort(403);
        }

        return response()->download(Ward::pathToLogFile($log));
    }

I don't know if this is a default behaviour of the download helper in response(), but the Cache-Control header is set to public for the log file.

When using a CDN (Akamai in our usecase), this means the CDN will cache the file and after a first request, the log file is available without security checks!

Please add something like the following to the response:

return response()->download(Ward::pathToLogFile($log), null, ['Cache-Control' => 'no-cache']);

[wjstraver]

Probably even better to use the no-store directive:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

[wjstraver]

Did some testing, and for now the most simple solution I've found is the following:

return response()->download(Ward::pathToLogFile($log), null, ['Cache-Control' => 'no-store'])->setPrivate();

Without the setPrivate(), the response will have Cache-Control: no-store, public, which is not strictly a problem (with conflicting directives it will choose the most secure one), but in my opinion Cache-Control: no-store, private looks a bit better.

[anditsung]

@KABBOUCHI have update this? i have update the modal size and update dark mode styling using codemirror instead of prismjs