Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible security concern: Static Web App serves arbitrary files from repo root #75731

Closed
ChevronSoftware opened this issue May 23, 2021 · 7 comments
Closed

Possible security concern: Static Web App serves arbitrary files from repo root #75731

ChevronSoftware opened this issue May 23, 2021 · 7 comments
Assignees
@scubaninja
Labels
assigned-to-author doc-enhancement Pri2 static-web-apps/svc triaged

Comments

@ChevronSoftware
Copy link

Thanks to all involved in creating this excellent service and associated documentation!

The docs (if not the product itself) should perhaps address the following scenario:

  1. A web app exists at the root of a repo;
  2. The guidance here is followed to create the workflow YAML;
  3. The YAML can be downloaded by URL sniffing the deployed site, e.g. at /azure-pipelines.yml.

This feels like information that should not be made public, even assuming that secure variables have been properly used. Could other non-application files also be sniffed from the repo root in a similar manner?

I suggest the inclusion of best practices around this, even if as simple as placing the static app within a subfolder of the repo.

Document details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@NavtejSaini-MSFT
Copy link
Contributor

@ChevronSoftware We are checking this and will get back to you.

@ChevronSoftware
Copy link
Author

@ChevronSoftware We are checking this and will get back to you.

Thank you very much for looking into this so promptly, much appreciated!

@SnehaAgrawal-MSFT
Copy link
Contributor

@ChevronSoftware Thanks again for the feedback! I have assigned the issue to the content author to review further and update the document as appropriate.

@scubaninja
Copy link
Contributor

Hi @ChevronSoftware ! Thanks for the comment. The repo used in the tutorial is a public repo available on GitHub, we wanted users to have an easy to start tutorial for the documentation. While there are a lot of best practices that an organisation should follow, we do not address that in this article. I appreciate the input on putting a web app in a sub folder, but more to the point, a repo should be protected (authentication, etc),

I appreciate the feedback, it's difficult sometimes to address every scenario. I'll notify the owner of the vanilla API repo to include the files in a subfolder. Yes, if we do move those files into a subfolder, it protects the access to the YAML. We wanted to show a 'root' folder config in the docs, but will discuss if this is something we should address with the team in the docs.

Including @anthonychu, can we look at getting an 'exclude files' tag in the ADO task?

@scubaninja
Copy link
Contributor

@ChevronSoftware I've opened an issue here

@ChevronSoftware
Copy link
Author

@ChevronSoftware I've opened an issue here

Thank you @scubaninja, this is a great way forwards - much appreciated.

@scubaninja
Copy link
Contributor

#please-close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@scubaninja scubaninja

Labels
assigned-to-author doc-enhancement Pri2 static-web-apps/svc triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@scubaninja @PRMerger9 @PRMerger12 @SnehaAgrawal-MSFT @NavtejSaini-MSFT @ChevronSoftware