Open Scrumplex opened 2 weeks ago
A symptom of the same bug is that the tandoor-recipes-manage
file can also be read. Now it shouldn't contain any secrets, as those would also be in the Nix store, but it might reveal some information about the deployment to an outsider.
I have found at least one public instance of tandoor where I could read the contents of tandoor-recipes-manage.
Most deployments use Postgres, so I couldn't find a public instance with the main issue
Is this an issue upstream as well? May want to report it there if so
@eclairevoyant quoting from "additional context":
The upstream docker image seems to use a working directory separate from the media path.
I can see why this is an insecure default, and hadn't thought about it. I fear the (obvious) fix would be a breaking change needing user intervention: have /var/lib/tandoor-recipes
be the working directory and /var/lib/tandoor-recipes/media
be the default media folder.
Describe the bug
Tandoor Recipes' (TR) default media folder as well as its working directory is at
/var/lib/tandoor-recipes
.[1][2] Unless a Postgres connection is configured, TR is going to create a SQLite 3 database in its working directory.[3] But as media is also stored in the same directory, most users are going to blindly expose that directory to the network using Nginx or even by settingGUNICORN_MEDIA=true
. This means that without special care, users will expose their SQLite database to the network too.Steps To Reproduce
Expected behavior
The database should not be stored in the same directory as media.
Screenshots
N/A
Additional context
This problem does not manifest itself, if TR is deployed with a Postgres database instead.
The upstream docker image seems to use a working directory separate from the media path.
Notify maintainers
@ambroisie
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.Add a :+1: reaction to issues you find important.