Risky data exposure

[conf-test]

Hi,

I'm a security researcher and am doing some study of public docker images. I found some misconfigurations in your docker image lf1707/drupal-u1804-apache2-9 may expose some sensitive data. I want to report these potential issues to you so you can fix them if necessary.

The data exposure I found includes:

1. composer files: like /modules/contrib/dropzonejs/composer.libraries.json
2. phpunit: like /modules/contrib/hook_event_dispatcher/phpunit.xml

The exposure is risky because

• phpunit.xml is for unit testing. You should not leave them on a live production server. (ref)
• composer/installed.json expose config info (ref)

Would it be better to block these accesses in your docker image? If you want, I can also help fix them by creating pull requests on your git repo. Please let me know what you think. Thanks!

Best Regards,

[lf1707]

ths for the notifications, I don't use the project anymore, it's a old record. But really thanks for the problem.

I will fix it late.

---

发件人: conf-test @.> 发送时间: 2021年5月4日 6:09 收件人: lf1707/drupal-work @.> 抄送: Subscribed @.***> 主题: [lf1707/drupal-work] Risky data exposure (#1)

Hi,

I'm a security researcher and am doing some study of public docker images. I found some misconfigurations in your docker image lf1707/drupal-u1804-apache2-9 may expose some sensitive data. I want to report these potential issues to you so you can fix them if necessary.

The data exposure I found includes:

1. composer files: like /modules/contrib/dropzonejs/composer.libraries.json
2. phpunit: like /modules/contrib/hook_event_dispatcher/phpunit.xml

The exposure is risky because

• phpunit.xml is for unit testing. You should not leave them on a live production server. (refhttps://stackoverflow.com/questions/11078572/should-i-use-phpunit-in-a-staging-production-environment)
• composer/installed.json expose config info (refhttps://www.drupal.org/project/drupal/issues/2392153)

Would it be better to block these accesses in your docker image? If you want, I can also help fix them by creating pull requests on your git repo. Please let me know what you think. Thanks!

Best Regards,

― You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/lf1707/drupal-work/issues/1, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADSCL2ROLWWBPNNKKGSDEPLTL4NJNANCNFSM44BS2YKQ.